One of the web-mail accounts is using a weak password. Acunetix was able to guess the credentials required to access the service. A weak password is short, common, a system default, or something that could be rapidly guessed by executing a brute force attack using a subset of all possible passwords, such as words in the dictionary, proper names, words based on the user name or common variations on these themes.
Enforce a strong password policy. Don't permit weak passwords or passwords based on dictionary words.