I'm not that familiar with nexopia (never heard of it, actually), but I'm guessing that it should probably keep your password information secure. Below are two possibilities:
Your hacker (how do you know it's a she?) could have simply guessed your friend's password if it was easy enough (i.e. password, 123, their name). Or maybe your hacker could've downloaded some password cracking program (there are some out there, if you look hard enough...).
If in doubt, just get your friend to change his password, and if the hacker still gets into the account, they probably have a program to do so (or maybe even a keylogger, which is dangerous...)