The most recent browser bundles are 2.3.25-9 for Windows and OS X, released on June 12, and 2.3.25-10 for Linux, released on June 26. They had to update the Linux version because of a bug that caused crashes on 64 bit Linux. If you updated your browser bundle within a few days of the latest release, which you should always do, then you were almost certainly protected against this exploit (even if it was on the server since before August 3, as claimed in the HW discussion, it was unlikely to be there for more than a few weeks). We should use cases like this to learn and improve our security. Although I always update my browser bundle on the day a new version is released, admittedly I have been lax in allowing JavaScript. I will definitely be more strict about enabling it going forward. More importantly, we must find out how the FH server and/or admin were identified. Was it an attack on the Tor network, a exploit of the email or web servers, or tracking of bitcoin transactions? (Those are the 3 ideas I've heard so far, although it may turn out to be something completely different.)