Thanks Paul. I read the article briefly last week and will read it again.
Meanwhile here are some findings:
1) It seems apparently the hackers are using some auto-login scripts – cos after setting achievements for tracking/awarding 1 point per login, some accounts clocked in over 20K points in a single day (twenty thousand times of login in to the site?!)
2) Another research method which was accidental – i setup Feedjit to see traffic and potential users coming in. Apparently the hacker use this search phrase – “powered by WordPress and Buddypress” so they must have and actively seeking sites powered by Buddypress knowing they can come in to create spam easily.
Anyway the above observations is for those who are working on their sites as reference.