Sorry to keep dragging this out- but it's my understanding, and I could be wrong, that this flaw that we have been told could have accounted for this problem allows an unauthorized user to access other registered user's accounts via their profile page, and without a password.
Don't ask me how it's done, but this alert describes it-

It is easy to understand that such an attacker might go down a list of members alphabetically, that would be my guess.

The thing is, the accounts weren't necessarily in alphabetical order. IIRC, at least 3 of those who voted were DU1995 (who magically last logged in yesterday since not posting anything since April of 2007), RHS (who apparently has since been deleted), and Tornado. I forget who the others were, because the poll was taken down shortly after I mentioned something and my memory is not photographic.

The odds of someone getting into users accounts and hitting a run of people that aren't in alphabetical order who never post anything, and then an administrator, strikes me as odd.

The reason this "hacker" thing doesnt fly is because it all comes down to motive. There are MILLIONS of sites (or parts of sites) for a programmer to target. When a given site is target, there is a reason for it. The only thing gained by this "hacking" was Les' "grade" was made better.

The question is who and why would want to do that, and whether or not that is important enough thing to draw ANY interest from someone with the requisite skills.

-----------------
I feel comfortable that there was no hack at all, and someone with access to the database just added the records directly.

I personally dont care who did it, but, all of this "hack" talk is just absurd - that did not happen.

We have the names of those that "voted", and those accounts have all been suspended to prevent further unauthorized access.
They were all longtime inactive users.
I am the one and only person with administrative control.
Neither moderators nor administrators can post under a users name without knowing the password that was set by the user.
An administrator can reset a user's password, but again, I am the only administrator, and I have better things to do with my time.

I am convinced beyond any doubt that this was done by a hacker who had figured out and exploited the known flaw described above.
I have suspicions who it might have been, and that we might have been targeted by someone rather than a random event, but nothing can be proven.

If anyone has any further questions, please feel free to send me a PM, as I will not discuss this further on the board.
This thread will be locked.