All the hacker has to do is guess the right PW or answer security question correctly and it's game over.
The chances of that are very lowOnly if its coupled with email verification though
Just to put it into perspective as to how easy it is to guess someone's password:
There are 26 potential english letters and 10 potential numbers that can be used in your password (we can ignore all the special characters that someone could potentially use as well as capital letters).
If an attacker knew that a specific account's password was exactly 6 digits (I don't even think the forum allows for passwords to be this short) then the number of potential passwords would be 36^
6 or written in base 10 scientific form 2176782336 ~2.17 * 10^
9 or 2,176,782,336 or ~2.1 billion possibilities. Considering that an attacker can only attempt to "guess" a password once every 45 seconds, it would take 816,293,376 hours (34,012,224 days) to guess a password if the attacker has 100% luck (the attacker correctly guessed the correct password exactly half way though all the potential passwords).
tl;dr it is not realistically possible to guess someone's password without some kind of social engineering and/or exploiting some kind of weakness of the person who owns the account (the owner somehow being at fault).