I received an obviously-spam e-mail from my hosting company and contacted them about it. They replied:
I apologies for the inconvenience caused. The reason you received the email was because our vbulletin forums script seem to have been exploited and was being used to send mass emails.
We have disabled the script and put it in maintenance mode. Please be assured, we do not disclose our clients email addresses. However, it seems the spammer seem to have used our exploited script to send mass emails. The moment, we noticed this, we have put our community forums into maintenance mode.
However, I have never used their forums, so I couldn't see why a hacked forum would affect me. I said as much to the company, and they said:
The spamming that was done, was done due to an exploited script, where malacious files were uploaded to our exploited forums, and were used for spamming.
We never had your email address, as far as I believe, however the spammer uploaded his email database, and used our exploited forums as a medium to spam people. Most likely your email was in that database that was uploaded by the spammer, as a result you were one of those people who received those spam emails believing it was sent by us.
I again apologies for the spam emails that you received because of our exploited forums. As you see, we have immediately taken down our forums for maintenance purpose to get it patched and secured.
Well, that can't be right, because I received the spam e-mail at three different e-mail addresses, all of which I have used for accounts with this company, and one of which I have only used for accounts with this company, so the only place the spammer could have obtained it is from there. I explained all this, and they replied:
First of all we never disclose our clients contact address, also from the files which were uploaded by the exploiter used the Mass Email Sender script and it queried the SQL command through PHP, picking up the contact details and sent the mass email.
We've already disabled the old exploited forums, and updated the forum application with latest version along with the security patch provided by vbulletin team.
Frankly, I don't even understand that one. My knowledge of PHP, SQL and how forums operate is minimal, to say the least.
If only the forum was hacked, surely they shouldn't be able to obtain my details, given I've never used the forums? And could they have obtained other information, such as my passwords? (I've changed them all, just to be on the safe side.) Am I being paranoid, as usual, or is my hosting company not taking this seriously enough?