As reported on the LifeHacker site: an XSS flaw might have compromised your account, regardless of the OS or browser you’re running. The flaw has since been patched, but if your account was subverted prior to the fix, it will still have the malicious filters in it. Follow the links from that page to find out how to check it, and remove the filters if they’re there. (Firefox with the previously-mentioned NoScript add-on completely blocks this kind of problem, even from undiscovered flaws — for your system’s safety, please use it!)
I think I saw this a while before. Forwarding is disabled on my account and no suspicious filters exist here. Though of course, everyone should check.
(saw the warning, that is, not the bad filters!)
In a happy coincidence, I just spotted an article on The Register that reports that David Airey (the web designer whose domain name was stolen using this flaw) has gotten control of it again.