His tripcode is a by-product of two things, his pw and a hashing function. I'm sure the real Q's pw is secure and with him.
What appears to have happened is an elaborate spoof, where if you only have one half of the pair, but you have the output you want, you then play around in a sandbox with hashing functions that produce the output you want Q's tripcode and substitute that temporarily to run the fake.
That would require very high level, site-admin or network engineer privileges and either way it is an utter compromise, even if repaired with the old, secure hash right afterwards.
I'm not one agreeable to being gamed.