What's there to elaborate? A connection where both password and file content are not encrypted and authenticated just screams "please read the password and change the uploaded files" (and with full control over all website files, there are many things an attacker can do).
In times not just the NSA, but many ISPs routinely sniff, and >90% of home routers are completely insecure too (anything from default password and missing updates, to AMT etc.etc), getting to a point where your connection can be read isn't hard either.