I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
Man-in-the-middle-attacks can capture post requests, hijack sessions, strip SSL connection and do other malicious attacks to steal your passwords. Be very careful with who you give access to your internet, never put your access-point on open.
You can check the SSL security certificate on your browser itself and then hijacking session is not at all that much easy but you can attack the wallet with the help of phishing sites which is similar like the MEW wallet.
If you enter your private key on the MEW copy, surely you will loose all your fund on that wallet.
I am not sure they will be able to steel the tokens without the ethereum balance as well. If any one clarify on it. That would be better to understand.