If your careless enough to run as administrator, or if you don't lock the hidden administrator down. I do that for all my clients. Of course on anything higher than Home versions, that Administrator is disabled; but I still give it a password before disabling it, on all versions.

(edited) - I've had malware try to log into this hidden account while I'm surfing on my honeypot PC - even as a limited user they can attempt to do this.