There was a vulnerability of some kind on the forum that allowed an attacker to login to seemingly arbitrary accounts. I received reports that this was due to brute forcing the password recovery email link, but some some compromised accounts did not have their password changed. There may be more than one vulnerability and it may not be fixed. My confidence in smf is low.
I have taken the following actions:
* Updated to SMF 2.0.15
* Changed email recovery code to be 40 characters instead of 10
* Deleted lastest 1000 posts and latest 42 topics (approximately covering the period in which accounts were compromised)
* Restored user data from 2018-05-03 backup (so your passwords and profile info will be whatever it was two months ago)
Updating the forum involved resetting all user permissions and porting over various hacks and fixes. If I've missed something critical, please tell me directly via PM or email.
Update: If you have not done so since the update, I'd recommend changing your password.