My password was never changed, I could still access my account - just the funds were converted to BTC and then transfered away.
So if it wasn't a XSS attack and the passwords were strong, it could only be that either the clients, the servers or the network traffic was compromised. Was any victim using linux? I tend to the servers, but how can you tell?