You misunderstood.

1, Regardless how many points you have, you are not safe. Thefts still make use of any account with a reasonable points balance (i.e. any account with minimum of 10,000 points is at risk)

2, as Ilseum has explained, the hackers themselves do not use the account to sell rooms or redeem for gift cards as they do not want to be traced. These information they hacked will be for sale on darkweb for a second groups of thefts that are interested in operating resale of rooms online. There is a time gap between when your account is hacked and when your information is sold on. Then there is a second time gap in when your information was sold and the second group of thefts (internet seller of redemption rooms) check whether your account is deemed as dormant or not, this is about one week. Finally there is the third time gap between the seller finally make use of your points (can be instantly or as long as several days to weeks).

With the 3 time gaps, you have plenty of opportunities to prevent your points being stolen since one of the criteria the thefts determine whether your account is 'useful' for them is whether your account is 'dormant' enough for them.

Yes, changing password frequently does not prevent your account being hacked, but it does reduce the possibilities of your points being used without a fight. The internet seller of the redemption rooms are not hackers themselves. Changing password would make hackers work twice, change it often, buyers of such information will consider your information less use as the opportunity of being caught is greater for them.