It would have forced whomever got in, however they got in, to use multiple auth's to transfer anything out.  It looks like you still had a live login (since logouts are not shown) and someone hijacked those credentials (or session) and initiated the transfer.  If there had been another auth required at withdrawal (like google, or yubikey), it would have been much more difficult to pull off.

Whatever the case, I'd say Gox owes you a bit more information.