So I don't exactly know what's going on. The attacks appear to be opportunistic, getting they accounts they can. If there were a vulnerability to account login they would just login to my account or rotondo's and forget up everything.What I've done is forced on https, deleted all existing sessions/cookies, and updated a few of the smf session hashing functions and seed values. This would mitigate some types of session hijacking, if that's what was happening. The most likely answer is probably phishing. It's happened multiple times before, with some huge body counts. It's not always as obvious as "enter your key for blockland gold".
I survived
The defcon should be higherLike 4.1