This is actually really, really common.
I ran a database repository for a beta test of an MMO video game some years in the past as a side project. This site ended up being used by the development team for various reasons during the beta period, and members of the QM and GM teams were also instructed as to how to log in to check certain bits of data.
I had put in login logging to detect if people/IPs who shouldn't be there were trying to get to the data, but this had the odd side-effect of gathering a huge number of attempts of the GM/QA teams trying to use their in-game login as was the norm with their internal forums. This gave me about 12+ logins over the beta period of valid GM accounts with GM abilities even on the live servers. Luckily for them, I was not out to mess around and reported it to the QA manager at the time--but if I had wanted to be malicious, I could have done a huge amount of damage. (With some of the accounts being flagged as high enough access to more or less destroy/create anything on the live realms.)
People are generally just not careful with their credentials and often think that if it's ******* on the screen, nobody on the other end (e.g. a webmaster or database guy) can never possibly see what they entered.
Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.