Real nice, come back after a day and find all my !@#$ gone and the only thing to do is roll back a bunch?
My gaming PC has literally no connection to the internet for anything but legit purchased and downloaded games, I don't even use the browser. My password is in the "Se1gasah212SHS3" ballpark of complexity and unique to battle.net.
I'll get the authenticator, to prevent this from happening, but I am quite curious how this was supposed to be on the user's end.
You've likely used that email/password on another website for registration. Any website. These companies are sophisticated in how they gather and process their data. You can buy, rather cheap, huge stores of key-value pairs of password data hacked or retrieved from a multitude of suspicious and valid websites.