[deanhills]

Well at least it looks as though they're doing their level best to sort this out and we know that Hostdoc owner is very vigilant.  Possibly this could happen to the best of any host but at least they've come out honest and upfront and given a very good explanation of what action they're taking to contain the problem. I've always been impressed with their effort to make their server secure but looks as though it boomeranged on them.  It's pretty ironic since this possibly proves that even when you make the ID submission a requirement, that it isn't necessarily going to make things that much more secure. Also that asking for that information also puts an enormous burden of vigilance on their side to keep the info safe, and to delete the info when it is no longer used - i.e. the client is no longer a client.

But yes, @Manal's course of action is obviously very wise in the circumstances.