Earlier today I recieved a warning mail from blizz, about spam being sent from my bnet acc. First though: someone hacked it. I immediately changed the password.
Then I went to bnet, and found out that my map is deleted. Which confirmed my suspicion. So, I had to reupload the map, to see it slowly getting back to its usual popularity position.
I tried to understand, how they got the access. And the only explaination I came up with was some password trying software. Because other possibilities from the list of ways on blizz site looked barely possible. While my password was realy simple, only 8 digits, 4 of which were "1234". Login (my email) was visible on my map, so password was the easy part.
I am against the authenticator. It somehow was automatically applied to my account and since I do not give blizzard my mobile number I was left with a password that I was never told. Took me two weeks and a copy of my passport to get access to my own account.
The password I use for Battle.net is only for Battle.net, the email address I use for Battle.net is only for Battle.net, and I have an authenticator.
Your password could have been either bruteforced or more than likely, taken in a third party website infiltration. Using the same email address/password combo across multiple websites is a bad idea, especially when REAL money is involved, ie; Battle.net, Paypal, eBay, Steam etc.