Hacking is most commonly seen in two forms: falsely acquiring armor and falsely acquiring weapons. It is not limited to armor and weapons designed for the player; some examples are: playing as the boss, other enemies, npcs.
The vulnerability was first found by developer Raymond Camden, and he posted about it on his website linked here. It seems that he did not extend it past obtaining the best armor and weapon in the game. He wrote code modifying the localStorage in the console found in the web inspector.
Browserquest stores the user's data (armor, weapon, name, achievements, etc.) in localStorage. LocalStorage is essentially sectioned off disc space on a user's computer that stores data accessible by websites - similar to cookies. You can learn more about localStorage on developer.mozilla.org
You can change your name, weapon, armor, achievements, and the image of your character on the loading screen by using the method described above.
Browserquest App by Mads & Peter Sandberg Brun Edit
Hacking the Browserquest app is much more difficult than hacking the online version! The only one I have seen hacked is the app for Windows 10. It replicates the same hack outlined above: a user can change his save data to obtain different armor, weapons, etc.
There is a file named 'settings.dat' in the hidden appdata folder. The file contains the string that was in localStorage on the online Browserquest version and can be manipulated in a similar manner to get the same results. See this tutorial for more information.