My site has been compromised. A hacker has been verifying himself as an owner of the site in Google Webmaster Tools, and is then doing a "Change of Address" request to point the domain to a malicious site.
In order to verify, the hacker needs FTP/Shell access, or admin level to edit the Theme. After the first attack I reset all passwords for listed users, and on the hosting level.
BUT, he's back.
Today I noticed, as I decied to remove all users except myself (a task I am sad to try because of my many authors). And I noticed that under "Administrator (3)" there are 3 listed users. BUT, only 2 are shown in the table.
I will check the Database for records of this Ghost, but wanted to know if this is something familiar to anyone (both the hacking method, and the Ghost user).