We are pissed and dismayed to say that our website server has been compromised. Thanks to tekniklr and birds investigation about password reset issues we now experience that someone, possibly through a PHP or Vanilla bug, was able to access the server and all our hashed passwords. Did we mention pissed?
Securing and patching the server ASAP is the priority for us. We are also reporting this to the haveibeenpwned site so any less active users will know.