Since the passwords are out, it might be advisable to disable all direct SQL access to the database for now; anything else a sysop or developer can do is logged and so doesn't pose a big problem.

Simply removing special_asksql.php should do the job.

Axel