BE v2.9 instance compromised

Apr 9 at 4:04 AM
I figured out today while upgrading from 2.9 to 3.2 that at some point a couple of months ago, my blog was compromised. Someone had found a way in and created two sub-blogs. Luckily no content or anything nefarious took place far as I can tell. I only have two userids, the admin account and an account under my own name, both have their own distinct STRONG passwords. How is it possible that someone got through the login with admin access?
Apr 9 at 4:45 AM
Edited Apr 9 at 4:46 AM
Do regular updates or check for regular security patches.
For example:
(install package already has patch included)
Apr 9 at 4:06 PM
Thanks. Always applied patches and updates for the major version I was using. Not always convenient to make the bigger version jumps.