I don't know how they got in, my computer tests virus-free from a variety of scanners. They got my WoW password but not my email password, making the problem very noticeable, and trading password-changes back and forth with me a couple of times (that is, they changed the password, I changed it again, they then clicked 'reset lost password' since they didn't have my new ones). I had no high-level characters or rares, but they deleted all my characters (why? just for spite?) and created some new obvious gold-spammers.
I'm aware there's a process for recovering lost characters and I'll get into that sometime when I'm not falling-down ill with the flu.