Well if someone got a dump of the DB, and had the password hashes it would be pretty easy to get the password from them, given that vanilla is OS and they could of gotten the salts (probably from the db) if the passwords were salted.
So yea, either same hole or someone just used a real password.