According to a recent post on the Exponent CMS website, a large number of websites running Exponent CMS have been successfully attacked by hackers.
From the post:
The type of hack and process for execution has been identified. With the combination of some clever SQL passed through via url to certain Exponent Modules lacking proper request value sanitation, the hackers were able to pull up information from the user table. The password for Exponent users are converted to an MD5 hash before being saved to the database, but if the password isn’t strong enough, the hackers were able to easily take the MD5 hash to any number of websites that will reverse the md5 hash, giving the hacker’s the access they need to mess with an exponent site to their liking.
Details about how this hack was accomplished, and how to protect your site against these attacks are explained in detail on this thread.