Yeah, you should still set an X-Frame-Options value to prevent a ClickJacking attack, because of the nature of the site (passwords and such).
To prevent the exploit: set X-Frame-Options to DENY in the HTTP header.
Fixed
Twitter Bootstrap, again? :p
Yes, Twitter Bootstrap is quick and easy, and looks decent, with great usability.
Will certainly be looking at upgrading the UI, but right now the aren't enough hands for this.