We're still failing to properly address a couple of issues in this thread, and I have a few ideas as to why; though I will keep them to myself. Cynicism never helps anyone. Instead, I will take an approach completely contrary to the general attitude of this forum and try to help out.
First, it does no good at all to blame the user. Not a one of you has any clue whether anyone has an authenticator. Claiming to know this, or insisting that it must be a fact, without literally seeing or having it proven by the user that he does not have one, is outright fantasy. It is the same as claiming to be psychic. You simply do not know. Stop acting like you do.
This extends to all the other bad attitudes I've seen. Absolutely the first response given to any thread asking for help has always been "Hah! Your fault, somehow. Sucks to be you." These people have allegedly been the victims of not only a computer security breach (whether on their end or on the Blizzard server), but they have also been the victims of theft. If you were to be held up on the way home from work, I'm sure you would not appreciate the police telling you it was your fault for being on that particular street, or for not taking a CCW course, etc, etc.
With that said, I know in my heart that at least some people are going to lie about the security measures they've taken. Nobody wants to admit that they dropped the ball; that's just human nature. It's embarrassing to know that some of the steps you could have taken might have resulted in the loss of your gear. It is far easier to stretch the truth and make your case stronger. This absolutely does not mean that every single person who has ever been hacked has lied about it, and it certainly does not give you the heavenly ability to somehow "know" which ones have. All you people are doing by claiming fault is stirring the pot and offending others. It's malicious, disrespectful, and rude. The only purpose behind it is to harm others.
Now to the subject at hand. If the original post is to be believed, then there is a problem somewhere in this system which is resulting in the loss of gold and items, but not characters. A mysterious player name is added to the victims' lists just after the attack. It is possible that this can be a computer bug somewhere in the database, but I do not believe that would account for the random friend add. In many of the cases I've seen, the player name is the same. This suggests to me that it is a person who is using an account of their own to drain others of their assets.
If this were a server rollback issue (which has happened to me) then I cast serious doubt on the idea that a character would lose all his assets without losing any levels. In my case, I kept all of my gear and items, but lost a full level and several waypoints. In other cases I've seen, some people have lost entire characters. Again, if this were the case, it would not account for the player add and it would not eliminate just the character's assets.
We also fail to address the logout issue. One of the responses to this thread claimed that he was disconnected with an all-too-familiar error message; that somebody else was logging in with his account. This is certainly not a database issue. I have received this error in Diablo II, but the error has always corrected itself after a time. I do not believe that anyone ever did log into my account, but that does not mean that it can't happen, and doesn't mean it didn't happen here.
This carrying on about "man in the middle" is also receiving far too much attention. It is as if people are assuming that this is the only way in which an authenticator can be breached. I'm not saying it would be easy, and the person cracking them would have to have a great deal of intimate knowledge of the system, but it could be possible. There are machines which can remotely read an RFID tag in your PayPass credit card, record the account number to a blank, and give the criminal complete access to all of your funds. I am certain that there are ways to defeat the security they have implemented. I think that focusing on one method and forsaking the possibility of others is a great way to be blindsided by a new technique.
On top of everything else, I've not yet seen Remote Assistance brought up. How do we know that a hacker hasn't gained access to your system itself, via Remote Assistance, and has simply declined to do anything with it until after you've finished your Diablo III session? A person with that ability would be able to see anything you type, possibly recording it with a video/external hard drive setup, and could certainly gain access to your password. This would not defeat the authenticator, but assuming that such a person has found a way around that, it's possible to remotely access a computer and use the connection to log in to your account. I do not know if this would keep the same IP on your computer, but it seems logical that, if it's still your computer that's logging in, it would be the same IP. If the authenticator only requires a new code when you log in through another IP, that could be the method they are using to defeat the authenticator.
That's a lot of "ifs", but we're all speculating right now. This is pretty scary stuff. We're no longer talking about "just a game". We're talking about hundreds of hours of work put into a game with the potential for some real profit in the long-term. Once the possibility of the loss of actual currency is involved, it becomes a much more serious problem. Some people in this world are going to stake all they've got on making a living by selling their gear, whether it's possible that they can or not. Losing an entire account would be devastating.
The security measures mentioned are good ideas. I would supplement them by suggesting that we close all open ports that we don't absolutely need, switch off file and printer sharing, disable Remote Assistance and incoming connections, and disable the default Work Group. If you are using a wireless internet connection, secure it with a password. Don't give out free access to your connection; it's a sure way to compromise your security. Install updates regularly and get the latest Service Packs for your operating system. Many times, security issues are addressed and solved in Service Packs. Anti-virus and malware programs are a good idea, but make sure you're getting one which will actually help; some of these companies are just a protection racket, and will virus you themselves when your free trial runs out.
I also disagree with the captcha idea. I think the authenticator was an excellent solution by Blizzard, and that it will be much more difficult to breach any one system with it in place. You certainly won't get hacked at random if you have one of these; it will take a directed, coordinated effort to get past it. Captcha, on the other hand, can be breached very easily by an image recognition program. Granted, the more complex the variations on the letters and numbers, the more difficult it will be, but there are programs which can match shapes within a certain degree of similarity and determine the proper codes. All Captcha does is annoy valid users; it does not present a significant barrier to bot programs.
That's all I can think of to help this discussion, except for reiterating my stance on attacking the victim. This is literally the same attitude as blaming the victim of a violent attack. You can't say "Well, of course it happened. Look at what you were wearing." There is no measure by which I can communicate how arrogant, selfish, malicious and childish this attitude is. It's right in the forum rules, people. Be respectful.