I believe that Blizzard has yet to encounter a hacked account that had Authenticator activated ahead of time.
However, my experience leads me to suspect that some sort of central event is at play here. Such as a compromise at Blizzard in which usernames and passwords were stolen (or at elast the email usernames), or some sort of phishing spread via the Blizzard forums themselves.
It generally doesn't happen that so many users of a particular service would get compromised in such a short period of time, unless there was some sort of vector targeting that service. A general-purpose spammer with a list of 100,000 random email addresses or facebook accounts isn't likely to have much success targeting Diablo 3 customers. Somehow the source of the attacks is able to successfully target Diablo 3 players, meaning at the very least they have access to a list of Diablo 3 players' email addresses to send them malware links, or have posted malware links to a Diablo 3 user hub like these forums. Maybe a fake Facebook Diablo 3 app or something?
My guess would be something that spread via the forums, or Twitter, or email, or Facebook, that targeted people interested in Diablo 3 with an invite to a fake D3 beta or something. Or, Blizzard really did mess up and allow a database of email addresses and/or passwords to get compromised. Something like that had to happen, though. There's no way this many accounts would get compromised just from errant spam or drive-by downloads. Some sort of Diablo-specific vector had to be involved.
The length or complexity of your password doesn't mean much. Account takeovers do not occur via brute force these days and hackers aren't likely to spend time trying to guess your password. Your password can be 12345, it isn't going to matter very much. Once a hacker has your password, they can cut and paste "IUFn298r0nalokjo&^5nbsn" just as easily as they can cut and paste "12345" or "password". Doesn't matter.
All of the above are pretty successfully protected from if you use 2-factor (Authenticator). They even offer it via POTS now, so you don't need a dongle or even a fancy smartphone, you can use any old telephone to do it, for free. Blizzard ought to do more to force people to use it and do more to force people to acknowledge the risks if they don't.
Now, maybe there is a session hijacking thing going on. That would be pretty revolutionary to see something that complicated being launched successfully in such high numbers in such a small period of time. So, it's possible, but I highly doubt it... or I highly doubt that something that advanced is the cause of anything more than a tiny fraction of the account takeovers.
tl;dr: something more than just your typical account takeover is going on, it might be Blizzard's fault, but it might not. Either way, so far I doubt that it is affecting people who use Authenticator, and I doubt that it matters whether your password is complex or simple.
Still tl;dr: Authenticator.
The central event is likely just the new place to login. This happened when the new battle.net system was rolled out and the login was changed from account name/password to email/password.
Before the system was implemented, people were just using their account name and password. Lots of people had checked the "remember account name" box and therefore never actually entered their account name. At some point, these people's computers because infected with a keylogger, but since the player only entered the password, the keylogger never led to them being hacked. It just never got a full set of login information.
Enter battle.net. Account names are no long valid for logging in, everyone has to use their email now. So literally every single person in the above situation now had to enter their email for the first time in days, weeks, months, or longer. Bam, the keyloggers, which had been hiding for those days, weeks, months, or longer, now recorded the new email login as well as the password and transmitted the information to the hackers. End result: tons and tons of people were hacked all at once.
The Blue OP in this thread alludes to this, saying that this is nothing out of the ordinary, it's the same thing that happens at every game release, aka when there is a new launcher and people have to type a login name that they may have had saved for a long period of time up until that point.
As for other theories, passwords weren't stolen from Blizzard. They're stored in a 1-way hash that destroys the password if you try to unhash it. When you login, a hash is created and compared to the hash they have on file and if they match, you win, but just stealing the hashes won't lead to compromises. Phishing websites and emails is highly likely, and people would be more susceptible to them since they haven't seen too many D3 phishes thus far.
As for your authenticator tl;dr..... /signed /signed /signed /signed /signed /signed /signed /signed