I just discovered a few accounts with suspicious log ins. There are likely more.
Here are the possibilities:
1. A data leak from another site provided attacker with exact passwords for these accounts. Phishing is unlikely due to age of the accounts, but data dumps like this happen all the time and people don't always use different passwords for each site like they should.
2. Accounts were compromised more than two months ago (the age of the user table backup that I restored after the forum upgrade), passwords were changed, and the attacker is very patient
3. A vulnerability at some point allowed an attacker to dump the crapily hashed smf password table for offline cracking. Easy passwords get cracked first, hence the target-of-opportunity style attacks.
4. An unknown login vulnerability on the forum still exists, but requires some special conditions so they can't just log into my account and wreck the place (else they would do it).