I got this e-mail from them:
On Tuesday, April 18, insecure staging server was compromised.
This staging server contained an old version of the X4B database. While this database is very old (more than 3 months), and only some clients are affected, it is suggested that you change your passwords immediately as a precaution. Our passwords are strongly hashed, but as a precaution please also change your passwords on any other websites where you may have used the same password as for X4B.Net. As a reminder, you should do your best not to use the same password across several online services, to increase your security in the event of a breach.
They database server dumped contained user information, and a small amount of additional information. We have obtained a copy of the published compromised data and can confirm that the listing includes Username, Password Hash, email address and first address line. This database did not contain SSL Private Keys (or certificates), however if you feel we are happy to assist with revocations as required. At this time after our initial audit we are not aware of any SSL Private Key compromise but we remain vigilant and will be conducting further audits.
We'll keep you updated of the situation and will be (and have been) taking extensive measures to prevent this from occurring again in the future. This will include a full review and upgrade of our security practices to help safeguard us against similar attacks in the future. We estimate full recovery within about one week.
Yes, it was only a staging server, but I thought I would post it anyway.