I would say most likely it was a exploit to gain acess. Bruteforcing a 17 char password is something you really could not do espically if you are trying against a place online. Unless just horrible security it would stop IP access if you just keep hitting it with wrong passwords.
Yes I realize now that brute force has a slim chance, I was kind of hoping that it was brute force because then I can fix it relatively easily but now I am not sure how he got access and just trying out everything just hoping to fix the website.