With a six word character password, he may have been brute forced. That is more likely than his ftp being intercepted, but it could be that too.
Start with a stronger password. (8 characters is still fairly weak)
See if this link to an internet security blog is helpful.
