WP 2.5.1 Site Hacked — New Admin User, New Posts, Corrupt WP_Options Database

Someone hacked into my WordPress 2.5.1 site today. When I went to the site, I saw the install screen. I went into the database via control panel and noticed that wp_options was broken. I repaired the database from cpanel and it fixed wp-options, allowing me to see my site again. (I hadn’t been installing anything new or upgrading.)

There were about 30 new “Hello World” and “About” posts. I deleted them. In the Users panel, there was a new admin user with the email
mdburke@maine.edu.

I’m a little concerned about this because I’m not sure how the hacker got in. Through WordPress or through my web host? Also, although it was annoying to find this, it was relatively easy to repair.

Does this mean 2.5.1 has a security vulnerability, or was my password not strong enough, or did the hacker come in through my web host?