It's possible they were exploiting a bug in WPS (WiFi Protected Setup) which allows an attacker to join your network without foreknowledge of the PSK. However, I'd be a little surprised if an attacker who could exploit WPS would actually have been thwarted by your MAC address filter. It may also have been someone who has access (legitimate or otherwise) to an authorized device, and was just copying the key over to another device whenever it got changed.
As others have mentioned, MAC address filtering is indeed trivially bypassed. Your client devices are always broadcasting their MAC addresses over the air and in the clear while they're connected. Once an attacker sees a client who is actively communicating with your router, they can just configure their system to use that client's MAC address to connect. That said, MAC filtering is not an entirely worthless measure. Though it's easy to get around, it does add another hurdle that attackers may not want to be bothered with (or some less experienced ones may not be capable of) overcoming. Just don't rely on this as a primary defense.
Another common weak security measure people try to use is turning off SSID broadcast. While this might help to protect you while nobody's using the network, the SSID will still be broadcast in the clear (along with the MAC addresses) whenever there is network activity. Turning off SSID broadcast actually requires you to weaken the security posture of your client devices to be able to connect them - they will need to be configured so that they will always be looking for (and advertising the SSID of) your network whenever they're turned on, thereby giving attackers a chance to trick them into connecting to a fake AP with your SSID. This is definitely something you should do without, as it actually incurs a certain security penalty for no real gain.
Your real defensive measures against WiFi thieves lie in strong authentication mechanisms (i.e.: WPA2 with a strong PSK), firmware maintenance, and disabling unnecessary services (e.g.: WPS). The last of those may be tricky, as some out-of-the-box firmwares make it difficult or impossible to completely disable certain functions. That's where third-party firmwares can be a great help, so you don't have to go out and buy a new router to do what you should be able to do with your existing one.