I've had what is described in the link below happen to me today. I didn't get caught by any phishing scam or give out my password so I'm not quite sure how they got my account info. I had I think something like 2,500 points on the account which were spent. My account is temporarily suspended while Microsoft investigate, it'll likely be around three weeks they reckon.
Be careful and keep an eye out for this.