Did you use HTTP or HTTPS before the URL? Because if you used HTTP, then your connection left an exit node unencrypted before hitting onion.to and being proxied back to the SR hidden service. The exit node could have sniffed your SR credentials.