i replicated the session hijacking theory, and yeap doable without authenticator. but needs some work.
careful guys.

didn't hack anyone as its complex for automation, i just tested with a friend for over an hour.
you just need to replace some of your session particulars with another person, and for a short time you'll be in control of the other party, then you get errors.

My suspicions are the same as Bashiok, this was well coordinated, and the guys targeted people from the start. Collected the passwords and details. Then they did the "hack at once.

I still don't understand why the game server would pass your session token to other members in the group and vice versa. I haven't done any testing but a wireshark or tcpdump file would interest me very much.

probably due to heavy loads on the server.
Wouldn't be surprised that companies would choose the easy and less secure way out of a problem.
I've not played wow but some guys on my d3 public games told me you can use wow hacks on d3. Unproven as i don't play wow or have any knowledge of it.
If u know any hitb/hackerspace fellows, they may have doxed it as well.

edit: just thought of the whisper and message function, not sure if can directly ping user ip/id from whispering. Any thoughts?