maybe the guy got caught out by a keylogger or some other Trojan, they shouldn't be able to use 'brute force' to hack a password, with the use of catcha's if you get the password wrong once or twice makes it alot more difficult, or 3 attempts and the account is locked out for 15mins or whatever..

as on here someone tired to guess my password, i think after 3 failed attempts i got an email from the forum s/w stating that and i think the ip address of the person.