About a week ago one of our members came to us and reported that he was suddenly getting spammed on an account that he had only ever used for our site.
We started doing some looking but as it was "only one" we figured that it was most likely something on their end.
Then the second one came in. And another.
All these customers were rather unhappy. Which is completely understandable. I would be angry too if a site was giving away my email address or not looking after their security enough that it was compromised.
More than two reports means that something is more than likely wrong at our end, so we started scouring our server for possible issues, fearing that had been hacked.
We spent a few days pouring over server logs, doing file comparisons between the copy of our site on the server and vanilla installations of Joomla and installed components looking for traces of a hacker.
We read seemingly endless security reports looking for any related to our installed versions of extensions.
After several sleepless nights and a lot of hair-pulling, we still couldn't find out how they got in and got increasingly stressed. If we had been hacked, that is one thing, but if we can't find them or stop them then we are more than just hacked, we are sunk.
Just as our panic was reaching a fever pitch we found the leak. iContact, who hosts our Ninja Mail mailing list, was hacked a couple of weeks ago, and their mailing lists were compromised.
Firstly, thanks for letting us know iContact that you handed our private member's data out!
As a result we have canceled our account at iContact and we sincerely apologize from the bottom of our hearts to our members for any inconvenience this has caused.
Luckily though, no user passwords or accounts were compromised, simply email addresses.
If it makes you feel any better, all the NF staff are also getting more spam too as a result.... 
If you have a list at iContact, then I suggest that you notify your subscribers that their details have likely been passed onto spammers. (and try out Mail Chimp instead)
XML Feeds