There was a botnet attack and we emailed the accounts (about 180 accounts) we saw suspicious activity on, putting this post here for the few folks to refer to if needed and to always have transparency with our customers and users:
On 12/20/2017 our web team detected a scripted botnet attack against our sign in form. It appeared to be using a list of emails and passwords from an unknown website or combination of sites which may have been compromised. Adafruit databases and backends have not been compromised to the best of our knowledge.
The attack ran through a list of email address and password combinations, then tried to sign in to our site with each one. The large majority of user/pass combinations failed and were not Adafruit customers or did not have shared passwords with these other websites.
Once we discovered that this attack had begun, we locked down our site as quickly as possible through various means including: additional throttling, requiring a captcha on sign in, DDOS protection (denial of service), and forcing password resets on those accounts that were affected.
We were able to determine that your account was in the list of email/password combinations. Your Adafruit account was accessed yesterday, 2017-12-20. This suspicious activity was the reason for an automated password reset.
We sent 40 password reset notifications while making sure your account and others were protected, and we are additionally sending this notification now.
You account password has been reset. Please use the ‘Forget your password?’ link at https://accounts.adafruit.com/users/sign_in to change it to a new, strong password, not used on other sites.
As a precaution, we suggest changing any passwords on other sites that may have used this email address or password in the past.
Adafruit databases and backends have not been compromised to the best of our knowledge, and we will continue to analyze this attack which appears to have been stopped.
Thanks web team and community support for taking care of this so fast.