You don't actually need to 'hack' anything to get hold of someone's password. I've pulled this trick on people in the past (not maliciously, only with friends) and only a modest amount of computer skill is actually required. You just have to rely on the ludicrous password 'security' most people employ and perhaps a few Derren Brown mind games
.
In current times when people use the internet for various aspects of their daily lives, having access to someone's email without their knowledge gives you a lot of control.
OcUK - have you thought about hosting the don's room as a separate forum, on another IP address, restricted by IP with a simple .htaccess? That would prevent a re-occurrence as, whatever other security you employ, you can never rely on the user to keep their password secure or the user's PC to be clean.