Sure, if he gave them his password, or they somehow got it from him.
Possibilities might include an exploit in phpBB, where the attacker could read the contents of his config.php file (I believe that’s what the phpBB one is called anyways… I forget atm). Though that would mean he has completely opened access to that database from the Control Panel.
I suppose they could have also guessed one of his passwords, including his account password, and just used that.
Many “possibilities” you could make up, but no real way for us to find out until some preliminary checks are made by the OP. That would include changing all of his passwords, upgrading to the latest version of phpBB (if he hasn’t already), and checking apache logs for unusual activities (which would be a HUGE pain probably).