You’ll need to have someone look at the web server log files in addition to the content of your .htaccess files - have you ruled yourself out, for instance?
Yes, people can use programs to snatch password-protected files. All they need to know is the username and password. A browser is just another type of ‘website grabber’ after all. Technically speaking, browsers and ‘website grabbers’ and other programs that speak HTTP to download stuff are ‘web clients’ and it easy for a web client to support the HTTP Basic authentication method used to provide the password protection.
As for as how easy it is to crack and password-protected directory: well, that depends on a lot of things. A brute-force or a ‘guess the password’ attack would be very obvious in the logs; you should see dozens if not hundreds or more of 401 errors. However that might not be noticable if you have used an ‘obvious’ username and password (like ‘admin’ for both), or the guesses are spread out over time. Then again, someone could have been snooping (comprimised your network connection or e-mail, etc) to get the username and password rather than trying to pick the lock.
To ensure greater protection? As for as preventing unauthorized access, do not put them on the web to begin with, or use public key cryptography. Or at least ask someone with experience to help you with the ‘programming’ part of running your site.
Perl / MySQL / HTML+CSS