It's more likely that he used a shitty password. The password crackers are getting really good. They iterate on dictionary words, so turning your password from "potato" to "p0t4to34" isn't much help. Here's an Ars Technica article about it: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/