I think everyone here is failing to understand how accounts become compromised. 99% of the time your login information is taken from another party. Yahoo mail is a good example. They have had multiple security breaches, and it's easily possible for a search algorithm to run through all of a person's e-mails and look for specific data on account names and passwords. This data is then sold to, in this case, gil selling websites. If you use a common account name, in this example "JohnDoe", and a common/similar password like "password1" or variations like "Psaswrod2" then it is pretty simple to brute-force an account.

Why is your account not immediately locked when it is maliciously accessed? Account thefts are not usually done by a person. They're run by a 'bot'. Often times these bots are powered by compromised or corrupted computers of ignorant people, and these computers could easily be in your own country. IP addresses can also be faked, although some security systems can see through it.

Accounts compromised with a security token? It is possible, but extremely unlikely. One would have to own an ridiculously infected computer to legitimately get hacked through an authenticator. Any sources that tell you otherwise are simply false, or covering an obvious mistake. One time passwords are a very complex and encrypted algorithm that are extremely difficult to bypass. The chances of brute-forcing an authenticated account are lower than winning the lottery, getting struck by lightning, and then being eaten by a shark in the same day.

All of these basically sum up to the fact that the more data a hacker has on your account, the more likely it is to be compromised. Losing an account can easily be a coincidence, maybe you're just unlucky, but it most likely is your fault somewhere down the line for using predictable passwords or account names. I have played mmo's for 10 years, a majority of that time without additional security over passwords, and never been 'hacked'. I have had my e-mail compromised before and quickly changed passwords for every important service I have. Blame SE and say I'm wrong all you want, either way, you're the one waiting for account restoration.