This is how credit card details were harvested from BA. I bet you use one of the sites on the list. Oh, and The Guardian is one of them. Major sites running unauthenticated JavaScript on their payment pages

Adam Tinworth @adders