I've been around games where there have been legitimate hacks going on due to site / game flaws, but I'm just not seeing that right now with this game. I believe GGG when they say it wasn't a site or server compromise. From what I understand about GGG's DB setup (which I had talked to a dev a long time ago about some concerns about their password setup), if they gave out the DB itself, no one could trivially get hacked from the password hashes stored.
That is: your hashed password -> [time consuming, mega round hash function] -> database entry
In order for someone to actually use the data, they'd have to also obtain the hashed password hashing function, and then create a dictionary of all common password hashes to compare each with. This approach is nothing new, and is typically how you "protect the database against compromise".
However, there's no need to go through all that trouble if all you care about is attacking accounts with common/dictionary passwords. It's not that hard to write a clientless account brute-force application that supported proxies and used one of the numerous e-mail / password dumps that exists. Someone could just run that across all known e-mails and common passwords and manage to "get lucky" due to how bad peoples passwords generally are. If there are a million accounts made and you get lucky with even 1%, that's still 10,000 accounts.
Assuming someone didn't get phished, social engineered, had their config ini stolen, or infected via malware, I'd expect that's how most people who got "hacked" did so. If someone made a unique random e-mail for PoE, a long (64+) randomly generated password, and wasn't using any 3rd party applications and practiced safe computing, I don't think they could currently get hacked.
I don't think people understand just how irresponsible some sites are. I lost one of my passwords once due to
Yahoo being idiots. The good thing at least was that it wasn't one of my strongest passwords, but it doesn't matter how good your password is when things like that happen all the time (most people just are unaware of it).