As a software developer, I know mistakes and bugs happen. But this is a pretty nasty security hole. Especially since the documentation went to lengths to assure me that something like this could not happen. I hope they fix it soon. In the mean time, I may have to disable my LJ to prevent "LJ identity theft."
Edit: It appears to be fixed now. See the discussion in pocketlj for the blow-by-blow commentary.