A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.
Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).
There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.
by the way, just wondering, what are API keys? are they some special feature which allows access to our account, and how do I disable such a feature if it is ON