Seems that it wasn't an exploit in phpBB, but targeting those with access to the server. Most likely it is opportunist "piggy back" attack, that would target any server from any computer with access. It is also possible the staff member was targeted specifically and let their guard down.
Anyway, this is a good reason why you should keep track of who has access to your server, and anyone with high level access, follows good home security.
Some organisations even audit, such users.
grep is your friend.