I know what you’re thinking: Sure, denial is exactly what someone would do when they have something to hide. Well take a moment to remember that denial is also something a person will do when they are truly innocent of the charges, so let’s not get ahead of ourselves. Coming off of the release of Diablo III was the well-expected surge in accounts being stolen and stripped clean. Some of those people also happen to have authenticators, raising suspicion as to whether or not the security method has been successfully cracked. I have good news:
Blizzard wants you to know that you are a liar, if you claim to have been hacked with an authenticator already on the account. According to Blizzard, not a single case has been filed where an authenticator was already on the account.
While the authenticator isn’t a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.
On the other hand, you can rest assured that the Blizzard servers have not been breached. And once again to the paranoid conspiracy theorists who think Blizzard compromises/sells accounts to scam/scare users into buying authenticators, you are still wrong.
(Source: Blizzard Forums)
MMO Fallout 
This kind of denial is always so unbelievable for the reasons you explained. Companies *do* and *will* deny these kinds of things if they’ve previously led customers to believe that the security is bulletproof. Such is the case with the authenticator.
I hope they haven’t been cracked, but multitudes of players claiming otherwise isn’t something they should shrug off as impossible or improbable.
I agree,
Considering the files are stored in the authenticator, it means Blizzard is stuck to whatever algorithm was used when the object was created. This means eventually someone will find a way to crack the algorithm and know exactly what code will be used and when. It is an unavoidable future that Blizzard could only hope to delay as long as possible.
Once it becomes public that authenticators are no longer safe, I think we will see a shift from the hardware models to a 100% focus on the smart-phone apps. This will make it possible to simply alter the algorithm at random intervals and keep the crackers guessing, without the need to update as everything will be taken care of server-side.
I am intrigued in the quote I posted. How can the authenticator not be a 100% solution, and yet there’s never been any problems with it? Unless he counts lost/broken dongles, how does one look at millions of authenticators sold/downloaded with apparently 0 accounts stolen of those millions, and say “it isn’t perfect?”
The authenticator has been out for three or four years, if memory serves me. Is that enough time for hackers to crack the algorithm? Possibly. I opened the invitation once before for someone to crack my authenticator and prove to me personally that it is possible, the offer still stands.