asherkin pretty much covered it, but I'd like to re-iterate on what the e-mail said. (1) An administrator account was compromised (2) vBulletin is too permissive in what administrators can do (3) it insecurely hashes passwords. The weakest link in the chain is more complex than a forum upgrade.
If you had asked me a week ago, "Bail, did you know admins can log in, then modify plugins to introduce GET hooks that run arbitrary code?" I probably would have said, "No, I didn't know that. That's crazy, and only a fleet of catatonic lunkfish would ever design software that way."
The latest vBulletin is almost unchanged underneath the hood. Upgrading wouldn't give us much except a theme that looks like someone spent years in a lab and figured out the worst possible way to display user-generated content, then barfed on it
There's other forum software out there, the most likely target is Xenforo which was written by the aforementioned lunkfish and is still PHP. That's not terribly
compelling, but it does look better. Anyway, that's something we've already evaluated in the past and it's just a matter of finding the time.
We have a setup now that I think is pretty good. I receive an SMS if the deployed forum software doesn't match our internal source copy. Admin accounts are locked down. The password hashing is way, way more secure now. And vB 3.x still gets emergency security updates - and we apply those right away.
The forum database doesn't have real names, or credit card numbers, or personal addresses. So - doomsday scenario, someone breaks into the colocation center and squirrels away the hard drive in their cheeks - where we're at now, you won't be as compromised.