This person has probably been attacked with a man in the middle attack. I think he has used a malicious TOR exit node which was sniffing his traffic. They then messed with his SSL certificate to blockchain.info. Because of this the user was logging in at blockchain on an unsecure (HTTP) connection. The attacker was able to sniff his data, and get the password. Im doing researchs to these attacks as we speak. Very frightning.
This would not work. Everything is done on the client side as far as encrypting and decrypting the wallet, creating new private keys and signing TXs. If the SSl certificate was tampered with then he should have received a warning.
The only thing a TOR exit node would have been able to do is stop the TX from being broadcast or prevent the user from accessing his wallet.
IMO TOR had nothing to do with the fact his money was stolen (if it was in fact stolen)