Hypothesis: Wasn't one of the reasons Wayne moved away from Xoops the presence of some significant security holes? Maybe the AW.net server is the weak point. Is anyone in touch with the admins over there?
Fortunately, the only other place I'm registered is Morphzone, and my password there is so convoluted that even I can't remember it!
Just did a passwd Matt_H, nonetheless.
The obsolete part it the cms, the xoops is old and obsoleted, and will be replaced, it takes time though.
The OS the site runs on, was changed when aw.net moved to a new ISP, and is up to date.
Quoting Karlos regarding where the passwords come from:
"We have no evidence at this time to suspect that the server itself has been compromised. "
Same goes at aw.net, Sibbi has not found anything strange in the logs this far.