After a bit of back & forth eventually MtGox gave in and shown me the login logs. Whoever hacked in has managed to logon after 3 attempts, so I suspect they've drawn from the passwords I have used on one of the Bitcoin sites which I won't name here. It seems that they could either 1) withdraw funds from my account if it wasn't protected or 2) use my account to somehow manipulate the market or 3) simply to trade the account "out".  (2600 transactions in 30 mins can't be manual).

I haven't really dug into the info that much, but can someone tell me whether it's possible to trade using API without generating an API code on Mt Gox?