Sounds like the exploit gave access credentials to the back-end database. So they could just change things directly like usernames and thread titles. However the passwords for users are salted and hashed on a per user basis which would make it nearly impossible to decrypt. Everyone should still change passwords though.