hacked?

I have 5 test accounts set up on my Dolphin based site for various different reasons, all of which have unique email addresses assigned to them and have never been used anywhere else. Sometime overnight I noticed the same SPAM email has been sent to each of these addresses (phishing for bank details). Now there is no way that these test account email addresses have been obtained from elsewhere as they have never been used anywhere else other than my Dolphin site. How have these addresses been harvested (site is in anonymous mode)? Has my database been compromised?

Any suggestions chaps?

I just had a similar incident this past weekend.  My own account e-mail (spam free) and my test account's (also spam free) and apparently the whole user base (I'm gathering) got phishing e-mails.

http://www.boonex.com/unity/forums/#topic/Spammed-Through-Get-E-mail-Exploit.htm

In our case, I believe it was because the bad "Get E-mail" function was exploited.  In your case, I have no idea though - sounds even scarier.  So being in anonymous mode, the "Get E-mail" function is removed, yes?  Did you remove it from the membership level access too, just to be safe?  Some threads suggest removing the offending code itself.

I'm not sure if your e-mails are all on the same domain.  Some spammers use the tactic of testing various common usernames for e-mails on a domain, and if no "failed delivery" message is received, they can conclude it's a valid address.