Last night someone hacked the password of one of the French Wikipedia sysops, Youssefsan. (Using IP 217.144.0.5, possibly a proxy?) They don't appear to have done anything terribly devastating; blanked a few pages and banned a couple IPs (since restored).
However, under the system that has been in place, it would be trivial for any sysop to retrieve another user's password hash and use it to log in by hand-setting the stored password cookie. (Indeed, there is some concern that one of the other fr users who is a sysop there may be the troublemaker.)
** Anyone with an account on the French Wikipedia, I recommend you change your password just in case this guy snagged more. **
I've changed the sysop's SQL query to use a separate mysql user account which has read-only access and isn't allowed to read the email and password fields of the user table, which should close the 'malicious sysop' hole. (However, developers still have full access.)
-- brion vibber (brion @ pobox.com)