My WordPress 2.6.2 got hacked today. I have no idea how exactly. But I found this in my stats:
I have an email around the same time about a password change. And while I was still logged in myself, I found out (later) the email address of the admin had been changed.
I've since deleted some plugins (which I think weren't the problem) and added secret keys to the wp-config. Is this enough or am I still vulnerable?