I don’t think there’s likely to be a problem beyond the defacing of the site. They seem to have somehow created a user which could then edit the category description to include their banner.
Changes seem to be limited to forum settings, so nothing outside the forum database.
Passwords are stored in the database as a “hash” – i.e. password “lalala” would come out looking like 213123131abce332112, so even if someone got them they would be no use.
It would be possible that a naughty admin user could overwrite password but I don’t think they can be read/stolen as such since they’re not stored in that plain text.
Essentially I can either shut it down till I’ve had time to poke through the logs and figure out what’s happened, and have time to upgrade the site and re-do the modifications, or we can try stronger passwords and just carry on for the mo – with regular backups