Posted an announcement regarding this at Important Announcements subforum.

Further update:  The system was not breached, no passwords were compromised (they are salted and multiple times hashed anyways). The attacker used a RubyOnRails vulnerability that was released yesterday (http://www.exploit-db.com/exploits/24019/) to withdraw the funds therefore.

Exploit released yesterday, eh? How convenient...

That's just scheduled maintenance
We deployed the fixes within five minutes after receiving the notification from the Rails security mailing list.

Bit slow of the attacker. I was actually half-expecting someone to start hacking Bitcoin sites before any exploit was even publicly released.

It's good to see you are recovering so quickly, especially with the severe downtime or outright collapse most exchanges seem to go through.

It's been a couple of stressful hours here.

No we did not switch servers, we:
 - applied the Ruby Rails patch
 - backed up all log files for further analysis
 - log files show the XML code injection, we validated all triggered commands to ensure nothing other than withdrawing funds (e.g. backdoor) was done.
 
2AM here, will need to catch some sleep,  mistakes are easily made when being too tired.

DId you hold ALL your money in cold wallets?

This seems like a terrible plan of action. Your server could still be compromised, but site actions have been restored? Why is your wallet easily accessible by your web server?

BTC, NMC and LTC service back online again.

We hope to fix Soldcoin in the coming hours too.