It sounds more like a badly designed web app than Alexa doing something it shouldn't. If it really did do harvest passwords and log in with them, we'd hear a lot more about it.
As gojomo said it was probably passing the username and password in the URL (query string). I've been burned by the exact same thing before because of Alexa. I had the little Alexa rank FF extension which told Alexa about a page I really wish it hadn't...
I suspect that if this happened as described, it was a combination of rare factors and/or happened long ago.
The Alexa robot obeys robots.txt, for one. AFAIK, it doesn't POST form data or visit HTTPS URLs. It might GET any plain HTTP URL it discovers or appears popular from toolbar reports.
Some web sites can be disrupted by otherwise well-behaved crawlers. They might have a buggy robots.txt. They might use logins that put credentials on a GET query-string -- and that URL could thus be reported elsewhere by toolbars, or back-linked by referred-to sites. They might perform destructive operations via GET. So elements of the story are plausible, with enough other assumptions about the fragility of the admin pages in question.
As gojomo said it was probably passing the username and password in the URL (query string). I've been burned by the exact same thing before because of Alexa. I had the little Alexa rank FF extension which told Alexa about a page I really wish it hadn't...