We're getting some spam posts from very old accounts that have had no recent activity, but are using gmail or other free provider.
Given how long ago these accounts were created, back when password security wasn't that much of an issue, it's likely the account used the same password for multiple sites (hey, we all did).
Since the logins are a one-shot success with no failed attempts, whoever is doing this knows the password.
That's why we're forcing a password reset, which is sent to the account's email address on file. (If the hacker doesn't have access to the mailbox, they can't change the address.)
So, if you got the email, just reset your password (to something secure and unique to this site, please).
Thank you!