I believe it is my legal obligation to inform everyone we've had a break-in. Presumably by a bot.
At 2PM yesterday I received a report that malware was being hosted on our server and that it was likely we had been compromised. In fact, it appears that some entity had gained root access to our server and loaded a phishing page up on it. The files all belonged to the root account, which means that the entity had full access to our system; this includes databases.
I don't think anyone should be overly concerned, as all passwords are handled by SMF and are therefore salted and hashed.
We are unsure how the break-in occurred, but we believe it may have been related to an old wordpress install hosted elsewhere on this server. From this point forward, no one say "Wordpress" to me.
So, in an effort to uphold due dilligence, etc, this is your warning that it is possible (but unlikely) that someone has a copy of all salted password hashes. It is also possible they have a large list of email addresses. It is also possible (if extremely unlikely) that they can retrieve your password by allocating their presumably large network of bots to brute forcing the hashes. I wouldn't worry about that happening.
Most people don't use very powerful passwords over http, anyway.
So, this is your heads up. Sorry about the shitty news. We're wiping old shit we don't maintain and putting more security in place to prevent this from happening again.