I am not sure I understand what happened. If it is a brute force attack and the hacker gained access to the user's account, how would s/he be able to obtain the user's loyalty password anyway? When I go to my account, the password is masked.

And then AwardWallet confirmed that on its end, the password is encrypted.

Anybody with better understanding?