Quote:

Create a new user/pass and DB for that user (you), then reinstall xoops. Be sure to delete the proper files and chmod correctly. This should not have happened under a correct configuration.

If you want to keep your news items and such, be sure to backup and download the appropriate tables from your database so that you can reinsert them after your new installation.

Just my two cents.

Hm, i don't want to delete and install XOOPS site again for some reasons. I changed my SQL password, but the website didn't work, i got an error, that it's impossible to connect to SQL. Anybody know, how to change SQL password and keep my XOOPS site working?

ANd the user passwords are safe, because XOOPS saves them as MD5 hash values instead of the actual passwords. MD5 is an encryption method, and it can't be decrypted, so not even when they know this, can the hackers find out the passwords of your users. Because the hosting provider failed to install their services like they should, PHP files weren't parsed and the mainfile.php (which holds the mySQL database password, you're correct about that) could be read. But with every server that has its services set up correctly and parses PHP files, this information is as safe as you can get it. So, XOOPS is as safe as any PHP application and the security breach is completely to be blamed on your hosting provider!

Herko

You change the database username and password through your CPanel's database admin and you will also need to change your mainfile.php to the new database username and password.