The attacker was able to empty the balance on accounts with the API key enabled. The issue is being actively looked upon. API access has been disabled.
Everyone who has lost money will be fully reimbursed.
pretty scary. luckily my coins are intact. I have never enabled the API keys.