Maybe you used login details that were found in a database somewhere. But yeah the posibility of Runemate stealing your credentials is possible even though they deny it. That's the risk of submitting your data somewhere ;-) 2 step authentication prevents this.
