Half right. Q's not back, but his password wasn't guessed or cracked.
This is a simple logic puzzle. If Q's pw was hacked and you wanted to spoof some posts and clean up B's turd, you simply sign in and do those things. Everything looks right, because by all measures, it is right.
The reason this is so f'd up right now is because a matching trip code was generated by a pw/hash+salt combination. The fact that there were two observed and capped periods where the salt was changed, Fake Q posted, then the salt changed back tells anyone all they need to know as to whether or not it was fake or legit. It was fake.
If it were real Q, or real Q's pw was cracked, neither of those things would happen and no one would be the wiser.
Another giveaway is the use of Tor. I'm not aware of any legit Q post coming in from Tor. Tor was used to further conceal the user's exit node IP. Not a problem for real Q.
So, yeah, it's comped. Who and why are what's left to answer. The fact that the local shill crew went apoplectic when the scheme was revealed should be a gigantic flashing red laser beam.
When the cat's away, the mice will play. I have a good idea what went down, but that part is still speculative. Whether it's real or fake is for all intents and purposes a decided issue. If it walks like a duck…