Any account that hasn't changed its password since the 2015 hack is vulnerable as the database containing hashes of the passwords is available on the dark web. They can then be brute forced unless they were very strong. Other accounts are generally as a result of a couple of mirror sites of the forum that are used to phish login details. Google is a big fan of putting these up as search results ahead or instead of the real bitcointalk.org search results.