It's not a bug. It's a lack of security on the user's part that allows the authenticator to get added to their account in the first place.
If you had your own authenticator, it wouldn't get one added to it since yours would be on it already.
If you don't own one, well you would have lost your account anyway, because they managed to get your password, and thus allowing them to take over your account long enough to add an authenticator.
Who's at fault? The user who lacks the security measures and likes to click on "cata beta invite" email links.
Sorry if it sounds harsh, but there's no point blaming a company for your own mistake if you managed to lose access to your account.
So you're saying that someone got access to a battle.net account AND the associated email account, and then decided NOT to change the email password? No, the problem is entirely the authenticator, and Blizzard's customer support is so bad that they can't work out how to remove it or even understand the problem.