I, along with all member of Spread Firefox, received an email explaining that their server had been accessed by an attacker:

We don't have any evidence that the attackers obtained personal information about site users, and we believe they accessed the machine to use it to send spam. However, it is possible that the attackers acquired information site users provided to the site.

... and a little later in the email ...

We recommend that you change your Spread Firefox password and the password of any accounts where you use the same password as your Spread Firefox account.

This is a great reason that a distributed authentication standard needs to be accepted and used across the web... and soon. A distributed single sign on solution would prevent things like this happening... not preventing servers from being compromised, but preventing attackers from finding usernames and passwords that are potentially (and probably) identical to the credentials used to authenticate on other sites.

Of the potential solutions I've seen, I think I like OpenID the best. But I would like to see people critique and suggest improvements. The solution needs to work, of course, but it should also be simple and extensible.

It's time that we stop trusting every site we use with sensitive information.