I spent the better part of the day investigating this issue.
- It's not a pool side hack - No pool servers are or were compromised
- It's not a pool-side close network hack - No datacenter infrastructure is compromised
- It only affects certain clients, is not pool wide, and affects affected clients repeatedly
Presumably there is some issue with some client side routing hardware that is being exploited. Anyone effected, please post how your connected to the net. PC->Router->Cable Modem, etc, with makes/models of such so we can possibly narrow this down.
Also OS. If TCP sequence numbers are being predicted, it could be that the OS isn't making the initial sequence number hard enough to guess.
Really there's no excuse for not using SSL, though.