They caught the people responsible, and convicted them, as the Wikipedia page describes in detail at the end. The actual perpetrators acknowledged they'd sent phishing emails to gain access.
Whether or not there was brute force rate limiting available at the time (which seems unclear), that's not related to the specific events you brought up.
Whether or not there was brute force rate limiting available at the time (which seems unclear), that's not related to the specific events you brought up.