From what I read turning on security token seems to kick them out.
Anyways aside from that I'm curious whenever I see this type of thread.

1) Was your password unique? Not used on other sites
2) Did your password have mixed alphabets, numbers, special characters?
3) Did you receive any fake e-mails trying to pretend as Square-Enix?
4) Which FFXIV websites did you visit? If you can list them would be nice.

These should help devs/STF investigate some more to block any future hacks.