I agree with you TheX, i saw it happen twice on our forum. We were very lucky because the control panel isn't where it should be, so they could only delete topics, wich is serious enough though.
I have searcht for the method that was used and it seems to be that this is a huge vulnerability.
Is there any news from the MD5 encryption method on passwords/cookies jet?
Infopop has to give this issue a number one priority.
