Looks like there was a major hole in how Rift authentication worked, which was exploited by many gold sellers, and as a result MANY people got hacked. It basically allowed people to login as any other account w/o knowing password or email details. A guy on the rift forums independently found what the exploit was:
Account Security Discussion
(it looks like it was some kind of man in the middle attack)
Looks the hole was fixed with the emergency client/server update tonight:
Account Security Discussion
Account Security Discussion