I am sorry to hear this happened to you. I hope that you get all of your miles back, it's the right thing for SWA to do. With the myriad of breaches of data from everything from Credit Reporting Agencies to just about ever store you shop at, it is no wonder this is not happening more. Chances are that some account was breached, SWA, or otherwise and the Op used the same email and password combination, or the person that did it figured out another way to do it. I would be willing to bet that whatever it was involved a compromise of information, outside of their control. SWA needs to do better to protect its customers from having this happen, the failure to notify you when your email and account information is changed, then used to book airfares using nearly all of the accounts miles. This shows you they have nothing in place to prevent it from happening, which makes your RR account a lucrative target for fraudsters.
I had this happen two years ago with IHG, wiped out my account and booked airfare using nearly all of my points. IHG at least notifies you when the contact email on your account is changed, the person doing this knew that and initiated an email denial of service attack on my email account, sending me over 7,700 emails in the course of a few hours. It took me over four hours to search through and find the email change email on my IHG account, contacting them (getting India), demanding fraud and getting someone from the US on the phone. They verified my account, they had changed the name, phone, and email on it to one's in Russia. They restored my points, cancelled the transaction to the partner for the airfare (booked for a flight within Russia for the next day), and I was whole again. I'm still dealing with the increased spam caused by it even now, but it's much less now. IHG accounts are still at risk, they still rely on a 4-digit Pin code for your password, and I could never get a good response to what their incorrect password policy was, suspend after how many invalid tries, etc. Someone could easily get your Pin with a bot hitting it, so long as it never violated the unknown incorrect password policy.
I changed every account password I had and started using a Password Tracking service, and I roll passwords sporadically across all of my accounts now.
I have enacted increased security on all of my financial, and travel accounts. I am torn on two-factor authentication for accounts I use often though, they work great if you get the second factor okay, if you do not, it's not easy to access your account, and it's going to happen when you are away from home. So, I recommend using strong passwords, if you hear about a breech someplace, find out if it affected you.
-Patrick