phpBB doesn't actually store your password in the database anyway. It uses an MD5 hash for this information. For those who don't know, MD5 is a non-reversible hashing algorithm. When you log in, the forum software hashes the password you just typed in and compares that to see if it the same as the hash in the database. If it is, you get in. To repeat, your password is never stored in the database, and you cannot reconstruct a password from an MD5 hash. I have an idea how this happened (I'm a professional software engineer by trade) but I'm not going to speculate here. I can, however, say in certainty that the database wasn't stolen.