For those who don't know, Plesk has been a recent vector to compromise a large number of websites: http://krebsonsecurity.com/2012/07/plesk-0day-for-sale-as-th...

Apologies! Should have expanded on that a bit. Overall gist: billabong.com has plesk publicly available for login. Plesk allows root (full system access) logins from a remote source and has all kinds of exploits available for purchase and abuse.

This kind of stuff happens, but in essence Billabong's sysadmin needs to start surfing exploit mailing lists more than he's surfing other places :)