If you let the wallet generate the 12-random password, it's impossible for a hacker to bruteforce your passphrase. Period. There are just too many possible combinations to be tested for any bot trying to find weak passwords
But if instead of using the default series of 12 words as passphrase, you use a personalized -but weaker- password with just a few characters, it may be possible for it to bruteforced.
That's why long passwords are strongly recommended anywhere, not just to create an account in your wallet. The longer the password, the safer. And that's why the wallet comes with the passphrase generator tool built-in, to create strong passwords
Check what your password was, if you can, because if it really was bruteforced by a hacker (and not involutarely leaked somehow) it must have been a really weak and short password.
Just in sight of the transaction and time (year 2020) I can't tell if it really was a hacker who devoted his time to discover weak passwords. That destination account only had 16 transactions during all 2020, most of them with small amounts. And it seems the total was later sent to an account with >45,000,000NXT (an exchange I guess)
All the transactions are public in the blockchain, and can be tracked using a block explorer. You can even use the wallet as a explorer. But knowing the sender and recipient accounts doesn't mean you know who owns these accounts. That's the tricky part.