Hello, it appears a malicious users has logged in to 22 different accounts.  Because of the limited nature (vs all 4000+ accounts) I believe the hacker either used some brute force method, or an existing leak of usernames/passwords to try and log into accounts.  For example, the MTGox leak a while back.

I've temporarily disabled all PIN, Address, and Payout changes, so you will not be able to change your password at the moment (but neither will any hacker.)  I sent an email out to the affected accounts that I know about at the moment.