Happened about 2 months ago - email change, which I was alerted to by email, but wanted to view the email in Outlook, rather than via via a mobile device to check that the links in it were valid...
Hack looks like they combined avios, and made hotel redemption to empty the account out.
Took just under 2 weeks to fully resolve and get accounts back under control.
If its an email change be really clear with them that it is an unauthorised change, and that you aren't in control of the email account its been changed to (and that therefore the change email form route is not appropriate).
Only then did it get escalated the following day when I could see that it had been emptied, and the account locked... And between the email reset being requested, the hotel redemption had been made too!
All points refunded, but only after going through "audit" process, and being crystal clear that family account members had not made the bookings.
The interesting question is what checks are made against the data/information supplied during the "change email address" form. Do they just need account number/email address to effect the change?