The attack started between 05:35 and 05:40 CDT yesterday, when the user count jumped from 387 to 909. The attack lasted until around 16:05 CDT (4 PM), when the user count dropped from 787 to 53. For the duration of the attack the user count hovered around 2000, with a maximum of 2591 users at 08:35.
When the attack concluded, I and others were unable to log in, getting a password incorrect error. I received no email notifications after being PMed, and attempts to create new accounts resulted in a blank screen. Some users were still logged in and able to post, but attempts to change passwords were unsuccessful.
The site is back up, but I’d update your passwords.
OK things seem to be back to normal for the time being. Nobody’s password got changed this time. The admins updated to the latest version of phpBB after Monday’s incident, so it’s possible whatever vulnerability was used Monday was patched out.