This has happened to me. During the fan sitehack wave about a year ago, the email I used with RuneScape was the same email I registered with a specific fan site, was obtained from the database. The passwords were totally different. All of my in-game passwords are a randomly generated string. After my email was obtained, it was only a matter of time until the hacker obtained the rest of the information from either database entries or logs from the fan site.
I've seen quite a few hack attempts pass by during my absence from RS. The worst for me was also the fan sitehack armageddon last year. They'd got into one of my e-mail accounts, which was also the address to which my RS account was linked. Luckily, they didn't get into my RS account. Sadly, they then decided to hack into other accounts linked to that e-mail account, such as yahoo, etsy, twitter,... They changed all my passwords, not sure why though. Boredom? The hacked e-mail account was really more of a spam account and I got control over all my accounts again within minutes, so there was no damage done, but it gave me quite the scare nonetheless. Since then, I'm a lot more careful and use separate e-mail accounts for everything, even if it feels quite silly.
Even before that, I got Jagex e-mails from time to time that evidenced someone trying to get into my account but failing to get the recovery questions right. In my case, Jagex didn't fall for it, to my relief. It was just a weird feeling to see a game that wasn't even on my mind anymore cause such havoc.