I think you nailed it.

A while ago, I remember WhiskChat's inputs.io account used a disposable yopmail.com email that I was able to access...although it wasn't much use as if I remember correctly you cannot reset password by email using inputs.io. I also remember Whiskers used at least one other disposable email account for other purposes too. I'm assuming this is how his website and forum account were compromised.

On a related note during my "security audit" I noticed there was also an IP filter on inputs.io. I found out that it can be circumvented by tricking the account owner into visiting a site with some simple JS that takes advantage of an old DNS rebinding attack and allows me to essentially use their browser as a proxy to access inputs.io or any other website of my choosing.