There's no case law history that I can find indicating that usernames and passwords to private systems are equivalent to actual identifying information such as bank accounts, or taxpayer identification numbers, let alone the theft thereof.
Conclusion - a human error lead to this happening. It wasn't an exploit or a security hole in the website's coding.
Three accounts were compromised by the person responsible:
* One through means of a password reset, because he has somehow gained access to a user's email
* Another, shortly afterwards, because of a human error
* And yet another one because of the infamous millenia-old password list that has leaked out of FA long ago. Cross-check of that list with the current DB showed that 738 people had the same, thousand year old passwords as on the list. Their passwords were reset.
Fortunately the attacker here was too preoccupied being a leet haxxor and made much less damage then he could have made otherwise.