This doesn't surprise me at all; nor, would I imagine, will it come as a shock to anyone who has had any professional dealings with a "Hacker Safe" site.
At my previous workplace, a collegue (who I'm sure is reading this - Hi, Dave!) was responsible for security audits on potential business partners' websites. One had passed the "hacker safe" tests and proudly displayed the logo on their site, yet he discovered the site itself and the processes in place behind it were laughable.
When you logged out of the site, it displayed a message reminding you of what your password was for the next time you visisted. Their policy regarding changing passwords was that the customer could email them with details of what they wanted their new password to be. All this was sent and stored in plain text. This was right up, in your face - you couldn't fail to notice this, yet someone at McAfee decided to still issue the "Hacker Safe" certificate.
And this was before we even got to the application errors, XSS, DoS opportunities, configuration files and information being left out in the open - and on a site storing VERY personal data as well. It just goes to show that whatever tests go on to certify a site as being "Hacker Safe", they're a joke at best; and incredibly damaging at worst.
Paris, because her "box" has probably been rooted less than many Hacker Safe sites.