Sigh... I've said this a million times before and I'll say it again. Anyone with two brain cells and a traffic sniffer like Wireshark can personally verify that your account info is encrypted client-side before being sent to the server. When you pull the account info from the server you receive the same encrypted data, which is then decrypted client-side for use. Now anyone with a little bit of reverse engineering experience and three brain cells can also verify that the encryption is overkill strong and uses information that would only be available to the user and is only ever stored in memory. Your account was likely stolen in one of the numerous ways accounts are stolen everyday including, but not limited to, a keylogger, phisher, or (the surprisingly most common option) a friend. When in doubt,
Occam's razor.
tl;dr we couldn't access your account even if we wanted to and we don't want to.