The owner of that site needs to shut it down. This kind of thing was inevitable and we warned about it from the start. Someone has calculated a rainbow table and the passphrase you chose is in it.
Which wallet software did you import the key into? Do we need to put a warning about this site into wallet apps? We need to find some way to kill this stupid and dangerous site asap.
The owner of that site should at least warn that "correct horse battery staple" is a particularly bad password. The fact that barely any bitcoins flow through this one tells me that there is no significant amount of noobs using the site. With mass adoption I bet at least 1% of all users would be thankful for this "random" suggestion and go with it. Brainwallet instead should give the user feedback on how secure his key is, although this might make them feel safe where they shouldn't, it can tell them when they are not safe where they feel safe.
Else it should suggest to actually use it to use the github version and verify that the signature of these 4 persons confirms the version to not be tampered with.
How could be compromised a brainwallet ?
Breaking known algorithms should we exclude because that would affect all kind of wallets.
You have a javascript brainwallet like brainwallet.org or bitaddress.org or namecoinia.org.
1. It has a connection to the internet and transmitting your private keys.
You can avoid this if you save the page on your computer and switch off the internet connection when you are generating the keypairs.
Alternatively you can do it in a virtualbox container which has no internet connection.
2. You are generating a random keypair however it isn't random in the reality, but follows a deterministic or stored pattern known to the brainwallet creator.
The source is known (javascript) but it is obfuscated and difficult to check it. In this case it doesn't matter if you are offline or online.
Best if you generate deterministic wallet with a passphrase which is random and long enough but you choose it and your computer is offline.
In this case I cannot imagine how could the brainwallet creator know the private keys.
Of course they are other attack possibilities also but they are not brainwallet specific.
If you downloaded from a pishing site, you have some trojans on your computer or you have written the passphrase on a paper and let on the table on your bureau.
If the minimized/obfuscated code reduces the entropy by doing something like changing this
privkey_hex = sha256(keyphrase).hexdigest() to this:
privkey_hex = sha256("evilhackersalt" + sha256(keyphrase)[:3]).hexdigest()
you would get "totally random" keys with every change to your input, but the attacker would actually be the only one to know your private key in a trivial list of a million keys.
You would only notice this once you try to use your password on a non-poisoned brainwallet. Good luck finding your money if you didn't also backup your priv key, just in case this attacker needs time to swipe your money.