My guess is the hacker installs a keylogger or otherwise monitors activity at something like the Sheraton Link computers where people are likely to access their SPG accounts. Then they log on, transfer the points to an airline account (also in your name), and use the miles to buy a ticket for someone else.

Even if that's not happening here, it's a good reminder not to use your passwords at public computers to the extent practicable.