We've just found out that the two people who complained actually know each other and were complaining about the same account, one on behalf of the other. So now it sounds like something else has gone on .. but we don't know for sure so we're still running in emergency mode not letting people log on until we secure things

Turns out it was a domestic. The ex-girfriend got the ex-boyfriends password, logged on, deleted loads of stuff, denied all knowledge to boyfriend and then emailed us to say that her account had been compromised as well etc.

The thought of been targeted by a hacker having some fun looking for security loopholes and destroying everything scared us. Does that actually happen? It would be an easy way of destroying a website business.

Interesting...

I'd recommend logging IP addresses of those that login if it's unique; it certainly would have helped in this case, but would in others, as well. Having the IP address of the "attacker" would aid in discovering secuirty holes and other attemps that person made on your system. In a case like this, however, you cannot really control what your users do with their passwords.

TOTALLY agree. To use Selena Sol's words of "old" (in Internet terms) "Every user input is a potential hack." Logging every bit of info is an insight to see if anyone's trying, and plug holes before they succeed. Server logs often don't tell the whole story; I use logs from within the scripts for this, and log them before any data-cleansing routines.

We knew that this was a possibility one day without https.

While this is not a bad idea, SSL is not a cure-all. If your scripts have vulnerabilities that can be attacked from input, they can still be attacked over https. SQL or email injection are two examples. What SSL stops is data sniffing via port scanning or other "back door" techniques by encrypting the data en route.

Does that actually happen?

Search this message board for attacks on CMS systems and bulletin boards, it's rampant.