Originally Posted by punkworld

Here's a step by step list of what to do:

1. Make sure your server hasn't been hacked. If it has been, fix the problem.
2. Make sure your password file isn't accessible. Check for (known?) security issues with any scripts you are using, and implement any common sense security measures you haven't implemented yet (e.g. placing your password file in a directory that isn't web-accessible, etc.)
3. Start checking signups and existing username/password combos against common wordlists. Respectively, change them and stop allowing them.
4. If the problem doesn't stop... (this will hurt) get all your members to change their passwords.
5. Try and make unhappy hacked members happy again by giving them a free week of access or whatever.