Realistically what happened to you was probably some sort of malware (keylogger) that was able to either obtain your email address and do a MP password reset or obtained your MP password directly, using a publicly accessible computer like a hotel lobby (if thats what you meant by dont use a hotel computer) to access ANYTHING is IMO a bad idea as these typically have little to no security. Another possibility is that you were caught up in a phishing site where you unknowingly gave your MP# and password directly to the hackers.

Normally I'd say your MP account, unlike a bank or CC accounts, doesn't really have customer protections for this type of fraud so any return of the miles would be really a goodwill gesture BUT given they caught the first fraudulent attempt to use the miles this really should have been a flag to UA/MP to contact you immediately and change the password/lock the account and contact you in some way.

ETA: Also I would, do the following: run a scan on your machine using up to date AV software, once you've done that check any and all accounts you access online (webmail, bank, CC, etc) and make sure there's no other fraud and maybe change your passwords to be safe.