I would concur that he probably had a keylogger.

but a few years ago found a few interesting things with yahoo, one of which was the ability to login to your account via the url and your hashed password (which was in the url). Lets just say i had some fun with that locally. Dont know if it was ever fixed, or changed, or what, but ya...