Over the weekend our admins detected some kind of security breach which has affected several thousand accounts. It appears that a small number of IPs had successfully logged into several thousand accounts. Some of these IPs were found to be on IP blacklists.
We believe that bots were performing brute force login attempts on accounts and eventually gained access to some of them. I don't believe that plain passwords have been compromised as they are encrypted with salts in our member database.
As a response we have reset these accounts' passwords and implemented several new security measures:
After 5 failed login attempts, you will be blocked from logging in for 60 seconds. An email will also be sent to the account owner and a modlog entry made.
If you log in from an IP that has been blacklisted by dronebl.org, it will be recorded in the modlog.
We have several more security features planned, such as 2-step authentication and irregular location notifications.
Remember to always use strong passwords. If you don't use a password manager, you should! Try keepassx.