The vulnerability only ever allowed you to execute perlmonks chatterbox commands like public chatter, private message, chatteroff, ignore, borg, etc; it never allowed to do other operations with your perlmonks account like voting, posting, or changing your password. Thus, there is probably no need to change your perlmonks password.

Here are some technical details. There are actually two closely related bugs to speak of.

The more dangerous bug has been there since since the change of the irc services pack near 2008 May 25. The new services (athame) allows users to log in to nickserv to an account that does not own the nick they're currently using. The server knows about the identified flag (user mode +e) which is set only if you're logged in to nickserv and using a nick that your account owns. The whois reply reports both the account someone is logged in to, and whether ey is identified. Nickserv can give similar information about anyone. The identify-msg feature correctly tags only identified users, so you can detect nick spoofing with it, which is the original purpose of the identify-msg feature. Had cbstream used whois or the identify-msg feature, it didn't have this bug. However, cbstream instead relied on the +R channel flag which mutes everyone who is not logged in. Due to lacking documentation, I somehow believed this channel mode filtered identified users too, but I haven't actually tested this. Thus, this vulnerability is really easy to use: one cbstream user persistently logs in to cbstream and then leaves the channel, another user logs in to his account but changes his nick to the nick of the first user, enters the cbstream channel, and alas cbstream recognizes him as the first user, and he or she can speak in his name. This bug was open since approximately 2008 May 25 to 2008 Nov 16.

The other bug is older but harder to use. I have given channel op rights to several monks. Armed with this channel op rights, they could in theory have impersonated a persistently logged in user to cbstream. There are four ways they can do this, but each is quite hard to pull off, even if the attacker has got chanop rights, because they require lucky timing. This bug is independent of the services change, so it has been open since 2007 Feb 11 when persistent login was implemented.

Most of the above applies to cbriver with obvious changes.

Technical details again.

The solution is to issue a whois query every time someone joins the channel, from which we find out his login name. One drawback of this is that someone enters the channel, speaks, and leaves, all this so fast that cbstream does not have time to send the whois query and get the whois reply, the message will have to be ignored. If you linger on the channel for a few seconds either before or after you talk, this does not happen. There are also some really minor user-visible changes I'll explain later when I actually implement this. There's also a positive effect: the channel will be moded -R so you'll be able to log in (non-persistently) to cbstream without logging in to nickserv.

All this will work both with the current irc daemon and the new one freenode is planning to start to use real soon now, with only minor changes in the code.