I can't read this whole thread, but there was a comment page 1 that says Blizzard is responsible for these.
I agree. My wife and I had quit world of warcraft, and when we did, the last thing I did was change the passwords to a a couple of long complicated alphanumeric phrases, from the relatively simple number+word passwords that they were.
Never logged in one with them, as we were done.. the changing of the PWs was partially to remove the temptation. We never logged in with these passwords. That means there was never any chance for them to be compromised.
Almost a year later... it was 10 months iirc, one of my IRL friends that we played with emailed me and asked if my wife was playing.. evidently her account had been logged in for a week or so straight, and not responding to whispers.
The compromising of that account had to come from someone at Blizzard with access to passwords. I don't think there would be any way someone would spend the time to bruteforce that password.... just for a wow account.
I don't claim to know how their login system works. If it has a database of logins or whatever. But if you look at something like Active Directory. You can't just simply see the passwords, even as a domain admin. I couldn't tell you how that would work. I'm assuming you would access to the database in order to pull that information. Something not a lot of people would have and would(or should be) very restricted.