It's most likely owners of other servers who store their players passwords in plaintext and use their database to find people with same account name and password on ShadowCores. I've confirmed that the owners of these servers do that: aurera.eu, reptera.net, tibia.mine.nu/narunia.mine.nu/multiworld.mine.nu (whatever domain they use), and there are probably other server owners doing the same. Never use the same account data anywhere else as you use on ShadowCores, at least not on servers with owners you don't trust (e.g. the ones I listed).
Our database has not been hacked, and we value security a lot. We would never intrude anyones privacy like that, we won't even hand out your e-mail or IP-address to anyone no matter how much they would pay us for that.
If you could share the name of that guy in depot who had 80kk and bp with lots of rares, I can look into it and delete him if I can confirm that he has hacked accounts.