Most successful attackers get in due to users re-using passwords.

User uses the same username password combination on their airline website and on some random forum website that they use (lets use the fictional 'WalkerChat' as an example). WalkerChat has a security vulnerability, and their username/password list gets hacked. The hackers now have full access to WalkerChat, but obviously that's not a very interesting target. So instead, they start attempting to use the same username/password combinations on various Frequent Walker sites - and eventually find several users that have used the same username/password combination on those sites and they are thus able to login and steal those users Frequent Walker miles.

To the users, this looks like the Frequent Walker site itself was 'hacked', when in fact it was another unrelated website.

This exact sequence of events has played out countless times over the years, and is why you should never use the same username/password across multiple sites. It's also most likely why United stopped allowing you to sign in using a username, and now only allows MileagePlus number - so even if you did re-use your MP password somewhere else, the 'username' would be different.