The word got out a lot longer ago than that - we found the first hacks shortly before the 3.7 release, and it was one of the primary reasons for releasing 3.7 when we did. But in early December, a script-kiddie hack found its way into several popular 4chan and related sites.
It's frustrating, as there's nothing I can do to prevent it or force updates on sites running old code. And, in retrospect, it was a dumb piece of coding that allowed the hack, and I should have noticed the potential for it a long time ago. But ... the vulnerability had been there from the first day we introduced AJAX uploading, and literally every Fabrik site ever installed since about version 2.3 was vulnerable. It just took about 6 years for someone to find it.
However, I try not to beat myself up about it too hard. Software has security holes. It's a part of life. I'm 100% sure there are other holes lurking in Fabrik, and Joomla itself, and every other non-trivial extension that allows any kind of state change on the server side. Likewise, in the OS the site runs on, the web servers that serve the sites, the browsers and mobile devices that access the site, etc etc.
Which is why it's the admin's responsibility to keep sites updated. Which is a pain, but just part of life as a web site admin. So when someone running 3 year old Fabrik and Joomla gets hacked, I have to remind myself that's just part of life's rich tapestry, and they should have updated.
-- hugh