Yes indeed, iPhones and other smart-phones can be hacked.

I was looking for a story where the ssh daemon was running with a standard password on iPhones with hacked firmware (http://www.theinquirer.net/inquirer/news/1561466/iphone-plagued-rick-astley), but also found http://mashable.com/2009/07/30/iphone-hack/ , which is just as bad.

As other people say, an account secured by a stand-alone authenticator is impossibly hard to hack, as hackers need to know your account name and password and a short-lived 6-digit code as well - the code on its own would probably not be sufficient with roughly 10 million players world-wide.
Even if you know someones' account details, with an authenticator chances you get in are only about 1 in a million (a little more to allow for time-skew as was explained in an earlier message). I wonder how many attempts you can brute-force in 30s?

But even with an authenticator you should take basic account security seriously. If your account name or password are the same as the name of one of your characters for example, you make it that much easier for a hacker to get in. You have to realise they aren't hacking "your" account specifically, they just try to get in "any" account working with the information they have. You bet they have a dictionary of level 80 character names to work with.


Earlier up-thread it was mentioned that some accounts got hacked during maintenance; That is actually an intriguing claim! A hacker can't do anything with your account during maintenance, so he can't take your gold or sell your gear either. So either we're talking about a very short window of opportunity just as maintenance starts or ends - more time for brute-force attacking token-numbers would probably be sufficient reason to prefer maintenance to hack accounts, and there's less chance the owner is logged in just before or after maintenance - or there's someone on the inside. I'm pretty sure Blizzard is aware of the latter possibility though, they're probably keeping a close eye on anyone with access during maintenance.

There are some other channels through which a hacker might "get in" with all the web-services Blizzard provides outside the game, to manage your account you need to prove that you are the legitimate owner of the account though - I think the worst someone can do to your account by hacking into a web-service is to mess up your calendar.