...
The hacker sent a continuous stream (every 2 seconds) of sendTransaction(...) request to Patrick's IP address on port 8545, and this request was forwarded to the geth instance. When Patrick used the Ethereum Wallet to send a transaction, the Ethereum Wallet unlocked Patrick's account for 2 seconds and the hacker's transaction succeeded in moving Patrick's ethers to the hacker's account.
For more details see the original Stackexchange post
Advice
1. Never turn on RPC on hot wallets. Even with IP and CORS limited to localhost. Just don't.
...