My version of the story is, Tihan selected a password from one of the Mt. Gox API keys and we face-to-face agreed to use that. There was no plan to release the source code ever (and if I did it myself, I would at least remove the credentials). The password has never been changed for 5 months, despite the transfer of ownership.
I didn't expect to be able to log in to LastPass after Bitcoinica Consultancy took over. So I didn't try.
That nicely fits another nice little theory which is simply that the entire gameplan of buying bitcoinica from you was from the start to pull a MyBitcoin. Leaving the password unchanged would in such a storyline be deliberate, a way to tar you with the same brush they planned all along to be painting all the pots and kettles black with.
You should have insisted they change all passwords to one you would not know. Heck in future I would consider getting that in writing, so that if at any future time it emerged they used any password that was known to you you could sue them for deliberate attempt at defamation of character and/or framing you or adding you to a suspects list.
I sure hope the Canadian Imperial Bank of Commerce data centre changed the vault combination when I left them, I'd hate to find myself swept up in a dragnet someday due to something nasty happening and it turning out they neglected that simple standard normal expectable step.
-MarkM-