DNS hijacking shouldn't result in credential compromise if TLS is implemented properly. TLS is implemented here, but incorrectly (hold on) because the credentials are sent as soon as the validation fails and a dialog shows up (about the invalid certificate). So the user will realize they are being MITMed but the credentials are sent even if they don't continue.
https://news.ycombinator.com/item?id=15322740