For the past few weeks, many Exponent websites have been under attack were successfully hacked.

The type of hack and process for execution has been identified. With the combination of some cleaver SQL passed through via url to certain Exponent Modules lacking proper request value sanitation, the hackers were able to pull up information from the user table. The password for Exponent users are converted to an MD5 hash before being saved to the database, but if the password isn't strong enough, the hackers were able to easily take the MD5 hash to any number of websites that will reverse the md5 hash, giving the hacker's the access they need to mess with an exponent site to their liking.

Details about how this hack was accomplished, and how to protect your site against these attacks are explained in detailed on this thread.