Well plesk keeps FTP passwords in clear text for the lulz.
I doubt FTP passwords got from sniffing - probably from the following script which if run on systems with plesk then you get all the FTP passwords in clear text for the shared accounts,
mysql -u admin -p`cat /etc/psa/.psa.shadow` psa -e "select s.login,s.home,a.password from sys_users s,accounts a where a.id=s.account_id"
So all it needs is someone to be able to read /etc/psa/.psa.shadow and there goes a whole shared server of vhosted accounts because once the passwords have been got then all the .php and .html files on all shared accounts will get appropriate iframes added by a bot net that usually has 1 file edited per bot using a process of a) ftp get b) edit file c) ftp put. This makes a joke of the webhoster strategy of limiting FTP connections per IP - 50 different IPs hit the site and all edit 1 file each !.
How does someone get to read /etc/psa/.psa.shadow ? Well that is obviously root and psaadm only that can read that but my feeling is that root doesn't get exploited but something that runs like as root or psaadm on the server. So no need to brute force FTP passwords nor reset them (which alerts the owner that something is wrong) - once in through some broken application that has escalated then plesk gives you the cleartext passwods for the rest of the FTP accounts.
Biting the hand that feeds IT
