The Exploit / Vulnerability is in the WPS itself which sends the hacker your password once hacked.
There are a set of tools online that uses the exploit / vulnerability to get the internal 8 digit code, the WPS button doesn't need to be pressed to be hacked and just changing your password wouldn't stop them.
Do a search for Reaver
it should tell you in more detail.
So its best to just disable the WPS option and change your Wi-Fi password as soon as.
Your probably not using the WPS feature anyway, so just disable it.
Most modem / routers have it on by default, I know several homes near me had it enabled until I told them their password and how it was got, they then disabled WPS and changed their passwords.
They could of also done an offline brute force password hack which can take a while depending on the length and complexity of the password used.
This offline attack only requires them to scan your Wi-Fi network traffic for a few mins, force one or two of your Wi-Fi devices to disconnect and record the traffic when the re-connect and they take that data home with them and brute force it to decrypt the data to get the required information to allow them to connect to your Wi-Fi.
Sadly noting can stop the offline attack, but you can slow them down with long complex passwords like a mixed case and numbers password, some also allow symbols in the password.
- Infinity 4 - 310Mbps (down), 31Mbps (up)