For the last few weeks, I've been getting hundreds of registrations here, and given (a) there's no reason to register except to post a comment, and (b) there aren't very many comments posted, I figured something was up. Until yesterday, though, I didn't know what was going on. Now, thanks to the WordPress 2.6.2 release, I do:
With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.
In other words, by registering often enough with specially-crafted usernames, you may eventually be able to force the admin user's password to be reset to something random, and you may know that random password. Scary stuff. So today, I upgraded to 2.6.2, and cleaned out the vast majority of recently-created accounts.
If you'd signed up for a legit account and I zapped it, please just register again -- and sorry for the inconvenience.