I just had £91 worth of Microsoft Points purchased through my account fraudulently. Noticed the emails come through. Earlier on I had an email asking if I had added a new email address to my account (which I hadn't; the email address seemed to be mostly random letters, which a tactic I know is used by fraudsters), so I swiftly logged in and changed my password, booted the new email address out.
I've contacted my bank immediately and they've cancelled the charges and given me the fraud line to call, but I don't know what the next step is regarding getting a refund on these points from Microsoft. There doesn't appear to be anything on the support site about it.