We believe that bots were performing brute force login attempts on accounts and eventually gained access to some of them. I don't believe that plain passwords have been compromised as they are encrypted with salts in our member database.
As a response we have reset these accounts' passwords and implemented several new security measures:
- After 5 failed login attempts, you will be blocked from logging in for 60 seconds. An email will also be sent to the account owner and a modlog entry made.
- If you log in from an IP that has been blacklisted by dronebl.org, it will be recorded in the modlog.
We have several more security features planned, such as 2-step authentication and irregular location notifications.
Remember to always use strong passwords. If you don't use a password manager, you should! Try keepassx.
Big thanks to mini for detecting the issue.