DreamHost wrote back, and the news isn't good. Someone sent them a list which is apparently circulating, of username/password pairs for "FTP" accounts; one was mine. I had hoped that if a password leaked it was my old password, which I replaced back in June (on my birthday) when DreamHost told me they got hacked. No joy, though -- the password they received was active on Extra Pepperoni (and chrispepper.com) until they sent me mail yesterday; I don't use it elsewhere and changed it last night, but that means someone had access to EP very recently. It looks like nobody ever used the account, but methinks it's time to install MySQL and WordPress on www.reppep.com, and probably Mailman too.

Crud on a cracker!

http://www.finjan.com/Pressrelease.aspx?id=1868&PressLan=1819&lan=3

And I still have no idea how they got me.