Depending on browser settings sometimes session information is encoded into the URL. In the event that the session has expired this is a non issue, however since his session was active the first people who used his original link hijacked his session.

They don't know his U/P. They don't have access to the site. This is a horrible design flaw in the blizzard forums. Since the thread was linked here it is most likely some DB.com visitor was the one who changed his sig.

He's not accusing, he's just stating what I'd say are pretty solid facts.