Saw a lot about this on reddit. First thing's first:
Change your password!!!!! Make it long, make sure it isn't the same pass you use elsewhere. If lazy, put two of your commonly used passwords together.
Ok so for details, here is what I'm seeing reported: every person who is getting password reset emails also played WoW with the same email. Is that the case here?
My understanding is that the exploit is that it is working like this:
1) People are taking a list of emails that they got elsewhere: maybe WoW breach, old GWG auctions breach, etc.
2) They are doing the password reset. No, they do not need access to your email. The reason this email is getting sent is because they get a different automatic response. IE: "bad email" or "email sent!". When they see "email sent" they know they have a valid GW2 email address, which allows them to focus their attack. If you have gotten a password reset email, you have specifically been targeted, and the hackers know that your email address is a valid GW2 login.
3) What does it mean to be targeted? It means they are brute forcing your password right now, which doesn't take super long. Or if you are on a list with your email and password combo, hope it isn't the same password. They aren't trying to get into your email address - they don't need to because it's just as easy to get your GW2 pass as it is your email pass.
This is why it is so important your GW2 password is not the same used elsewhere, LONG, and not simply dictionary words. And do not count on using a $ instead of an S - all password checkers do those substitutions.
Write it down on a sticky if you have to.