I recognize it is probably still early in the investigation of what happened and why.As mentioned, XKCD uses phpBB, a free and open-source forum and bulletin board software built in the PHP programming software.
However, at this moment it's unclear if XKCD was using an older version of the forum software vulnerable to a security flaw or the attackers exploited any previously undiscovered flaw in phpBB to extract the data unauthorisedly.
Besides this, even if XKCD was running over phpBB version 3.1 and later, which uses more secure BCRYPT hashing algorithm, it's possible that the passwords for early users of the XKCD forum were encrypted via the older, less secure MD5 hashing method.
However, other than the standard recommendations to make sure that boards are keeping up-to-date on software releases, are there any other lessons that can be learned from this news?
Added: I wonder how many XKCD users are using 'correctbatterystaplehorse' as their password?