Hello, it appears a malicious users has logged in to 22 different accounts.  Because of the limited nature (vs all 4000+ accounts) I believe the hacker either used some brute force method, or an existing leak of usernames/passwords to try and log into accounts.  For example, the MTGox leak a while back.

I've temporarily disabled all PIN, Address, and Payout changes, so you will not be able to change your password at the moment (but neither will any hacker.)  I sent an email out to the affected accounts that I know about at the moment.

Once the malicious user got into an account, he brute forced address change attempts by trying different PIN numbers.  If he was successful, he then sent a manual payment to the new address.

So far, this appears to have only happened once (but could have been a couple more, still looking), as he could only try one PIN per second due to server restrictions.

I'll be working on changes to make this attack not possible in the future, and account changes will be disabled until then.

Malicious user information:
IP: 79.172.242.141
Malicious address: http://blockexplorer.com/address/17JuYfk8bWUHvAfRv5eF7zUic1g3qrDobz
I believe this represents the majority of any bitcoins stolen from this attack.