Twitter anyone?
http://www.lmgtfy.com/?q=Alice%E2%80%99s+%E2%80%98Bucket+List%E2%80%99+
Are el reg journos blocked from twitter now?
2 publicly visible posts • joined 21 Jan 2011
I've not seen anything which says the attackers picked up passwords from a file or from the database in plain text. This attack would be easily achievable using XSS or simple insertion of code into the PHP on the server at the point the browser commits them. Said code could email to a drop box account or access a remote server to upload the card details.
Without auditing of all live files against the database, an html file could have had a remote scripting attack in it for months without being detected, especially if the site design wasn't changed.