This is case of not using decent encryption, TOR just allows for the traffic that client sends to be routed around an virtual network - the exit node just sniffed the traffic and either ran a cracker on the password or the password was plain text.

Either way it's the fault of the network admins for allowing non-encrypted passwords (that are well encrypted)

Jokers.