Site Hacked by NoNameUser: Help me understand how

Hi,
My site was hacked on 14 April 2017. Fortunately and hopefully it’s a mini hack and I have recovered everything well.
But what happened?
1. I just discovered that the site title and tagline in the settings page were changed to ‘Hacked by NoNameUser’ | ‘Hacked by NoNameUser’.
2. My admin username was changed to something else, though display name, email, FB profile Bio…everything remained unchanged. I recovered the account using password reset.
3. After 2 days, I discovered that one post title was replaced by ‘Hacked by NoNameUser’ post and the url looked like https://mysite.com/category/hacked-by-nonameuser , while the publication date still remained in 2015, last edit date was not changed either, 4 April 2017. All content of that post was replaced by only a single line ‘Hacked by NoNameUser’.
If the hacker accessed the post editing screen, the last edited date would have been 14 April, so he didn’t access that.
4. Now by googling ‘Hacked by NoNameUser’ I also discover that not only my site, but also some other sites were hacked in the similar way and the posts are even indexed by Google.

The site has two admins and one author account. Everyone has very strong password and two-factor authentication enabled. It is confirm that the hacked didn’t access the dashboard. Site’s xmlrpc is disabled. Directory browsing disabled. Using latest version of everything.
Please throw some insight regarding how could the hacker do all these. Thank you.