Neither the servers nor the database were compromised. There were no SQL injections.
At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.
Using the key the hacker imitated LR deposits from many accounts and bought up Bitcoins, Namecoins and Litecoins.
I wonder how the attack worked... You think there's a way to brute force the API key offline? Did btce or LR allow millions of attempts at guessing it? Probably got hacked some other way.