A website's weak password policy that only generates five-character passwords made it vulnerable to brute force attacks, allowing hackers to gain access to user accounts by resetting their passwords and guessing the five-character password generated by the site.