If you used it by putting your nsec in, yes. If you used an extension like Alby, no. But it also depends on how you set-up your Nostr account the first time, did you use a client to generate your account? I believe there's a way to generate a key from the protocol without using a client.

Oh, I'm sure it can be. Some (few) clients require you to create a passphrase to encrypt your nsec at least.

Should give an option to let user encrypt private key with a password

Hacked is a strong word. Let’s say you use damus and someone sees you enter your passcode to unlock your phone and then steals it. Then yes they could do that. But it wasn’t exactly a hack