There was no exploit whatsoever in PR2. PR2 is nowadays exploitable in millions of ways, coming quite close to server-side arbitrary code execution, but that was not the case back in the day; the exploits weren’t known.
As it tends to happen in the world of information security, layer 8 vulnerabilities have always been the easiest to exploit and the hardest to patch. In this case, what happened was that UnknownAX created a rogue client — a client that simulated PR2, but also captured passwords of whomever happened to use it to log in. He publicized his website, containing this hacked client, in a rather clever way, causing a massive influx of people to visit it.
Many people used this client to log in. Amongst them was the former admin Melanie, who used her administrative account to log into PR2 via this client. As the client captured passwords before sending them to PR2 (not being the actual PR2 client, but a rogue lookalike), this gave UnknownAX access to the password of every user who had used his rogue client, including Melanie.
And thus, there was no exploit, but some foolish excess of trust from an admin.
The strange part is that I told bls all of this some time ago. I accidentally came across that email today as I sorted my inbox. I’m surprised that he still calls it an exploit, and not human error as it was — hopefully he will be careful with his new admin account, since this could happen to anyone.