Yep, anyone wanting to move your coins would need your account password AND your PIN. It's likely that at some point, you logged in via a phishing link and provided your PIN. Change your password immediately.