They can, but then you'd know your account was touched. This way, you've no idea it ever happened.
@ P2Pdog, the script you pointed out had a major "bug" if you wanna call it that way, that allowed anyone to actually login to any account. This was only corrected around april 2009 in the 2.3 version.
There is a relatively easy way to know if the site is running such script. Google around and you'll find it.
