There is major vulnerability in phpBB that would give someone access to any account. Minimally they would be able to perform any action on the front end like viewing private forums that account has access too, PM's for that account, moderator actions if the account has moderator permissions, etc. This affects all versions going back many years other than latest version.

There is a quick fix if you cannot immediately update and what to look for to determine if your forum was compromised:

[phpbb.com...]

The vulnerability by itself does not grant access to ACP however it is possible conditionally. It's not a giant secret and not difficult to figure out but I'm not comfortable posting it. If anyone wants that info send me a PM.