It's prolly the script's fault, some vulnerability.

Which script are you using, btw?

Either way, premium links generators are always exposed to those kind of things. Most of the times, a simple http debugger and some base64 decoder is more than enough to leech the acc's data.