One of the companies I contract for had a client system they maintained hacked and its web site replaced with an ebay password phisher. The root password was 123456, so there’s a good chance that it was just 0wned that way.
Boss guy approves our changing the passwords on the other client sites so long as we “don’t make them too complicated” because it “takes [him] too long to type it in”.