An attacker gained access to a bunch of accounts. My best guess at this point is they brute forced the passwords over some period of time and were sitting on them waiting for an opportunity to drain them all at once. A small handful had been drained over the last month or two but last night about 130 accounts were hit. I've put in some measures to try to rate limit login attempts now and I may consider adding minimum password strength requirements.
From Adam:
An attacker gained access to a bunch of accounts. My best guess at this point is they brute forced the passwords over some period of time and were sitting on them waiting for an opportunity to drain them all at once. A small handful had been drained over the last month or two but last night about 130 accounts were hit. I've put in some measures to try to rate limit login attempts now and I may consider adding minimum password strength requirements.