Invicti identified an RSA private key in the web site.
When you try to login to a secure server, client application uses a digital signature to prove that you have the private key; the server checks that the signature is valid, and that the public key is authorized for your username. If all is well, you are granted access.
When the private key is unprotected with a passphrase, anybody who steals the key can log into everything you have access to.
Even if it is protected with a passphrase, the attacker can try a huge number of possible passphrases, even with moderate computing resources. If your passphrase is a dictionary word, it can probably be broken in a matter of seconds.