I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.
The good news is the hacker didn’t brute-force the password. The bad news… yeah.