If FR is permitting non SSL connections, that could be a problem. Otherwise, the account theft would have to occur from within the FR environment.
* unless bogus DNS and folks are landing on different servers.
Curious if the hacked accounts are using VPN proxies.