I was a victim of this same attack today. I woke up to read a password reset email that I didn't request. I can't log in and the password reset link didn't work either. Although it did say in the reset email that Gox's main support days are Monday to Friday I replied to the reset email saying I didn't request it. And they got back to me in about an hour and said: "We apologize for the inconvenience caused. We have disabled the withdrawals on the account and we are investigating further on this. We will keep you updated."
I've seen 2 other forum users that got the same attack here:
https://bitcointalk.org/index.php?topic=178336.msg2721093#msg2721093And another on reddit.
http://www.reddit.com/r/Bitcoin/comments/1i7ydk/psa_reminder_do_not_store_anything_of_value_at_a/I think the OP's theory that someone can access Gox's password reset mails has some merit.
My reset was done from Belgium not Poland though:
request was made from:
> IP: 81.246.181.166
> Browser: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15