I can't imagine how he did it. Someone said bruteforce pass in Admin CP, well how? I know some programs for cracking passwords (ftp, pop3, nt servers or whatever) with bruteforce, but for vB Admin CP, that sounds unknown. He found another way to penetrate, like cross-site scripting or sendings javascript code. Yeah, vBulletin is known for many exploits. One of many: http://online.securityfocus.com/archive/1/264020