The interesting part is for such a theft to happen, the thief needed to know that there was an accessible bitcoind on that IP. So, either it is someone close to OP who's stealing him, or there are hackers with crawlers searching for such vulnerable nodes. The latter sounds quite possible, what would mean people using bitcoind RPC should really pay attention to their access rules.
Every node on the network knows the IP addresses of every other node. More or less.
And the port is well known.except rpc port which could be changed freely. -rpcport=
I'm changing my RPC ports to a higher area (10000+) to keep my wallets safe. It's set to allow *.*.*.* with very simple username and password.
This incident(accident) is not the first in cryptocurrency area.
several weeks ago somebody lost all(2850) his fairbrix. Also because of open RPC.