To all.
I do take security extremely seriously. Because I'm not an expert in server security, it is why I pay extra for a fully managed service to ensure that someone else deals with server security and updates etc.
As far as the forum software goes I am extremely diligent about applying patches as soon as possible after they are released.
I have also learnt over the past few days from various information & topics at reddit/r/darkweb & reddit/r/DarkNet that using an email prefix is no longer a valid way of identifying that a particular forum has itself had a data breach. Hackers and bots have now got more sophisticated and rolling on the back of some very large breaches such as myspace/linkedin/avast/adobe/etc they are now clever enough to identify domain email addresses which are using different prefixes at different forums.
It will explain why the email address I used for a another suddenly started getting spam a few weeks ago out of the blue. I'd not been there in years, but when I checked over
there and it seems it may be similar to what has happened here. There are only 2/3 people saying its happened, but on reflection I think that is also something that may have happened after the avast hack which did affect me. So it appears whatever it is, may also be happening on other [SMF?] forums.
It explains why after the larger breaches those sites warned to change passwords on other sites too. Although they never mentioned why you should, it is now apparent that there are bots out there crawling other forums to see if they can get even more info. I think some of us may have felt safe because we were using unique prefixes.
I thank andrue and others for alerting me. I must admit that at first I was highly alarmed because at that time I too was under the impression that using prefix's was a way of identifying breaches. If there was something wrong or a hole some where then obviously I wanted to plug it.
However as it stands my server is secure, and it also seems odd that normally with breaches then you would expect everyones email to have been disclosed and they usually leave behind other damage such as taking the whole forum down.
I think Im putting this to bed now as there seems to be nothing more I can add.