If it makes you feel any better, I'm pretty sure he didn't get many emails/passwords.
I logged on at 7AM EST, and the site was fine. I was reading through
the amusing avatars thread. I clicked to go to the next page when I noticed the forums were "down" with the interesting new title. I checked the homepage, noticed the same message. I took down the entire site. Total time between noticing the site was hacked and taking the site down was at most 4-5 minutes.
I have a friend who can read Cyrillic, so was able to mostly decipher the hacker's website. Under the defacement section, he proudly boasts cdrlabs.com as a successful hack. He claimed he got 4-5 passwords, 2 of which were admin passwords. That's when he was able to gain access to the administrative panel and send out the mass email. I will emphasize this next part because it's important to note:
The phpBB admin panel has a one click button to send out emails to all members. The hacker does not have a hardcopy list of all our members' email addresses. Just a small handful.
We would still advise everyone to change their passwords to be safe, but the most important ones, the admin/moderator passwords must be changed. As far as I know, we have all changed our passwords. We didn't want to cause a mass panic by saying "CHANGE YOUR PASSWORDS NOW!"
Hope that helps.