I would be really, really suprised if it was Hotpocket or Lunario. They do not have the knowledge to access an account illicitly.
Its also a bit harder to hijack accounts ever since the forum moved to https, so it probably is prior knowledge of the password or a flaw with this version of SMF.