Blizzard’s Community Manager, posting under the handle Bashiok, has issued a statement on the Battle.net forums in which he has said that the accounts that were compromised were done so through the use of the accounts password.
We’ve been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person’s account was not compromised through traditional means of someone else logging into their account through the use of their password. While the authenticator isn’t a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.
If this information is correct then that means Blizzard’s servers weren’t compromised. But Blizzard would never willingly say their systems were breached, given that the millions of Battle.net users have their credit card information sitting on those servers.
Battle.net Forums: http://us.battle.net/d3/en/forum/topic/5149619846?page=29#571