Yea, I would take a guess its the html in posts thing.
One person on tribalwar forums (VBB, same principle I guess), managed to setup some code, that when the topic was opened by anybody, it managed to send their cookies or some form of info to another server, whereupon that person could simply view the passwords.
However, the TW forums have the passwords encrypted so it wasn't a complete take-over..
That'd make a good hack.. is it not possible to have something done so the passwords are encrypted?