I've mostly only heard about that with FFXI. But it happens with every MMO. Be careful which links you are clicking in your inbox that you just assume are from Square Enix. I could make an email similar to SE's, tell you that your account has been banned. To which you would say "what the ****? why??" and click, sending you to "Square Enix's website" which is really owned by me, but a replica of theirs. Once you "log in" I have your password and email associated with it and can log in as you and change it.

edit: in fact, theres way more efficient ways of obtaining your account info and sabotaging your account than this, i just thought this would be the most easy to explain.