The bottom of the forum lists the latest user/username who joined the site. Since our site is 100% WordPress, registering on the site anywhere registers you for all our services, including the forum, regardless if you use the forum or not, so your username would still appear there as the latest user.
After your email this morning I looked at the members list and noticed several other users who had used email addresses as their username, so I trashed the page. My guess is one of our many registration forms label wasn't clear that were asking for a username. I've disabled registration during checkout and I removed the member's directory page to try to stop this type of situation from recurring. The page is in my trash, if you like I can restore the page if it will give you piece of mind.
The site is certainly not compromised, but I do appreciate the heads up regarding the situation. What I did not appreciate was the assumption that my site is hacked. It most certainly is not. It's on a dedicated server, I've hardened the hell out of everything, and I'm sitting here looking through the logs for tell tale signs of exploitation. I do see a lot of bot and script kiddie attempts at XSS and SQL injection, but none of them were successful. I have fine tuned the entire server, have a hardware firewall, SSL encryption, mod_security with my own custom implementation, hardened httpd.conf and php.ini, and even custom core WordPress modifications for better security.
The first business website of mine to get hacked was in 2006, and it was replaced with Islamic jihad propaganda. I've been an obsessive, compulsive security nut since then, because there's nothing worse than having some script kiddie take down years of hard work by copying and pasting.