I've got quite bad news here. It's exactly what the title says : I've just discovered that AAO has been hacked in the past few months.
tl;dr
See the "Action required" part below if you don't care about the details.
What happened
More precisely, my FTP access to AAO's file server was obtained by a bruteforce attack, apparently originating from China, and used to hide spam links in hidden parts of the site.
This is not too much of a problem, since the files stored there include no personal data - only the site and forum scripts, which I'm currently checking for malicious edits but seem fine, and the trial resource files.
All your sensitive data (email, password, etc.) is stored on a different server - which does not seem to have been attacked. Thankfully, its entry point is a little hidden...
However, I can't be positive that no-one accessed it - and in fact, it's very possible that they did, if they were clever enough. Your password may have been compromised.
Passwords are only stored as "hashes" in AAO's database - meaning that the real password should not be deductible from the database contents. But "should" is not what I consider a high enough standard in terms of security...
Anyway, I have discussed the matter with my host, and we have changed all my accesses, fixed the bug that made the bruteforce attack possible - and additionally brought the security a few levels higher. We're safe again for a while - at least until I get the time to take care of the "2nd part" of the move that I had mentioned in the previous announcement, and set up my own security systems.
However, even though your data should be fine, one is better safe than sorry.
So here are a few things you should do to make sure there's no risk.
Action required
- First, you should change your password on AAO.
- Second, if you used the same password for your email address, you must change it there too.
Indeed, your email address is stored in the database : attackers may have had access to both it and your AAO password. If your AAO password is the same as for the email, you get the idea... - If you used the same email address and the same password to register on other websites, you should change it there too, to be perfectly safe.