They used decent security measures so I am not worried. Saw a message earlier that they used SHA256 but not sure about a random salt per account. Even with todays GPUs it will take years and years to discover a decent password, ie, one with at least 8 characters/digits plus 1 special character. Personally I use lastpass (with 2 factor auth) and use a 16 digit password, auto-generated, with alphanumeric and at least 2 "special" chars. If they break that before I am dead then wow.
No software is immune from attack. Be it now or tomorrow, it will get broken. The only sure way of protection is a hash that is capable of withstanding today's, and tomorrow's computing power. That is either bcrypt or scrypt. Forget two factor authentication as that does not protect you from using the same password on multiple sites. I think the ideals behind bcrypt and scrypt are sound, make the cost of brute forcing a password expensive, in CPU terms. scrypt goes one further and makes it extremely hard to implement on a GPU.
For me, right now, XF should update the salt on a successful login. Everytime a salt changes it makes the rainbow table view less effective. Better still move to bcrypt or scrypt. I would much rather have a message saying that the extra second in login time is to reduce a hacker's chance of breaking your password by a factor of 100 years (or more). By then I won't care.
This shows impressively, how little people understand about all this security stuff...
I don't blame you or anyone else for believing in the "if you update your software, you're safe" paradigm - after all, this is what most software producers are trying to *make* you believe.
Unfortunately, it's wrong and believing in it can be dangerous, especially when you start to act carelessly, because you always update and therefore think you're safe.
There is no software that is free of bugs and even if a PHP application was free of bugs and possible exploits, you still depend on the underlying software (i.e. PHP itself, your web server, even your operating system) and no matter how hard you try to keep all that stuff up to date, you're not safe. Period.
Software developers can only fix known bugs and exploits, but as a matter of fact, many hacks and exploits make use of recently discovered and unknown bugs and this is something you cannot avoid, not today, not tomorrow, not in 100 years from now. As software evolves, it gains complexity and the more complex a software is the higher is the chance for hidden bugs and possible exploits to exist.
Bugs have been found in software that was tested for many years before it was deployed into productivity (i.e. flight management software for modern airliners - something you cannot even remotely compare to a php script running a blog or forum) which was designed and tested under completely different standards and yet, bugs were found years later.
Hacks, exploits, data theft - that's something we'll need to accept as negative side effects of all our modern technologies and like Deebs correctly stated in his post, the only way to protect our data is to use strong encryption. After all, stolen data is basically worthless when you cannot decrypt it.