This is the most common way. (Score 1)

Paket sniffing is way too much work for most script kiddies, yet they have access to exploits, to exploit servers and get databases. Then it's right there in plain text. Which one do you think is more appealing to script kiddies? I am not saying that this person was a script kiddie, but since he did find the database on an obviously insecure server... It makes you think. If he made his own exploit, how long till it is released? Needless to say, this is scary.