it is possible, ive never had it done tbh but
theres various ways it can be done.......obviously the usual phishing way of sending a fake email to look like youve got a message from the site or wahtever and when you click the link and log in they save the log in details
on forums obviously owners, mods, admin are in control and can access EVERYTHING so all it takes is somebody fancying a bit of fun and.......this happened to me, i was a member of abands official site, a guy started an unofficial forum, i was mod, eventually he moved on and "gave" me the forum so i was "owner" two people i knew from both forums i made mods.....one of em decided to have "fun" changing somebodys posts etc that they didnt like, i didnt know which one it was so i demoted both of em till i found out who.....then the one who it wasnt kicked off with me big time, still i stand by my actions
sometimes people tell, may have inadvertantly shown somebody the password
also it could be brute forced (software used to guess password configurations, can take hours to do)
if they have control of the account still, change the password...use letters and numbers mixed to be sure, and if people have been offended post an apology explaining?
could even get mods to change the username?