It can't be direclty through HTML editor. Did you protect your pages with securityAssist? The CMS content comes from the database right? Power CMS?
They hacked your database, not FCK Editor. They had to get into your admin back end or get direct access to your database to do it.
I'd change my database username / password and make sure you have session level security on all the pages that access the database. Honestly I don't think FCK is the problem in this case.