Password reuse, weak passwords, keyloggers, shared wifi networks, etc
Nginx logs.
If the attacked may have obtained a backup, which needs email access too, there is What to do if your Discourse is compromised
If not, a banner topic or a topic in a category everyone is notified may suffice.