Aside from man-in-the-middle attacks, token systems like the Blizzard Authenticator rely on the used algorithm and the secrecy of the token seed.
Usually the token information is saved in a different database on a different server than the actualy login data (most token systems still require a PIN or password), but if a hacker could obtain both databases the system would be broken.
But this is from the server view, the actual security from this system is the client side where - I think in Blizzards case we can say - 100% of all account hacking happens. Even if a hacker gets the username, the password and the tokennumber, he was not able to hijack the account. When a number from the token system is successfully used, it gets marked as such and cannot be used again in a certain timespan, and you have to wait for the token to change. So if the hacker had this information, he could not use it to login, even if he would do it in the timespan until the token changes.
So unless the token algorithm and the seed are weak and rendering the next tokens predictable, the system is very, very safe. No idea how many digits the blizzard authenticator uses (I assume 5 or 6), you can estimate chances of successfully hacking the system if you know the PIN/password and the username are 1 in 10^(5|6) in a single attempt, or accumulated in x attempts until Blizzard closes the account because of too many failed tries.