#16 - Aug. 2, 2010, 8:08 p.m.
A man-in-the-middle attack has to be done real-time. Those are noticeable because you don't actually get logged in, it's malicious software that mimics the login page and you are actually communicating with the compromiser, not Blizzard.
Actually copying the authenticator (mostly on jailbroken iPhones) actually makes a physical copy of it.
It's like they have it in their hands.
What I'd recommend here is first - remove this authenticator, then very quickly redownload the app so that you get a new serial number and do NOT back it up. Apply that new serial number to the account immediately.
I don't know if there is a vulnerability in 1st gen's, but that would appear to be what happened here. Somehow, they got your backup.
You might want to look into getting a physical authenticator as well. Those aren't vulnerable to this in any way.