I'm really not surprised this has happened.

Please remember, anything you submit to a site is only as secure as the least ethical/professional staffer, or the competence level of the progamming and even well programmed sites can have holes.

If someone can get into the backend of a site, all the unecrypted information you have sent to the site is available to them. accessing anything just requires knowing where to look in the data storage for someone who has access regardless of how they obtained it.

If there's a staffer who cannot be trusted, they may often leak information. In my time I've seen staff not only leak information, but falsely report supposed staff side info for their own ends, dox other staffers, or otherwise treat the privacy of users with complete disrespect for their own ends. It never happened on storm but I've dealt with several sites on both sides of the moderator/member divide where it has happened. In one case, the owner of the site leaked purported mod site information for the purpose of defaming someone he just didn't like.

Whenever you submit information to a site, even if it's supposedly something only staff can see or something that it supposed to only be seen by you and another, always remember that supposedly and actually are two different things, hope for the best, but always plan for the worst.

Yes, a site should be secure and you should be able to trust that staff will not leak info, but the truth is we have to deal with the reality that not all sites are secure and not all staff are trustworthy, especially if the screening for staff members is poor or otherwise lacking.