Ok, so my site was previously hacked, and I believe that the hacker probably got the md5 hashes of all the passwords, and is able to decrypt them.

Now assuming this, how do I move forward? I am taking every security measure possible while rebuilding my forum, but as long as the hacker already has those hashes, he could still compromise accounts once I am back up and running, right?
Is there anyway to re-hash those, or something, so that the data the hacker has would be useless?

Are You Sure the Hacker has those Passwords in decrypted Form?
It's not that much easy to decrypt,
Or may be just the Forum had been Defaced, nothing else?
Just Possibilities...
Forum can easily be Defaced by handling from the Same Server, they can read your Config.php & deface the Site by the Information of Database i.e. Database Name, Username & Password,
Simple way to Protect Config.php is that just change Permissions of Config.php file to 400 :)

Well, no I don't know for sure that they obtained it, but I want to take every precaution. I did visit the hackers site and study what they do. I saw that it is possible for them to obtain the passwords and decrypt them.

Chmod to 400, good idea.

Any idea on how they did it?

Was it a plug-in?

Well, I was running a rather outdated version of the forum (my license for 3.x had expired, and I hadn't bought 4.x yet), so I'm sure there were plenty of security vulnerabilities in it. My database password was obtained from the config.php and then that was that.
I do know that the hacker obtained admin privileges on the board because right before it was defaced, some normal users were promoted to super moderators.

I find adding cloudflare it allows you to block countries as well as ips good program

Peeping it out, hard to use with Vbulletin?

Well, I was running a rather outdated version of the forum (my license for 3.x had expired, and I hadn't bought 4.x yet), so I'm sure there were plenty of security vulnerabilities in it. My database password was obtained from the config.php and then that was that.
I do know that the hacker obtained admin privileges on the board because right before it was defaced, some normal users were promoted to super moderators.

Yup, after getting Database info they can do almost everything what usually an Owner can do {downloading Database, editing tables so in this way promoting or demoting any member, or simply changing Admin's Email Address to their own so they could easily recover Password of Super Admin Too :p}, it usually takes a few minutes in making themselves Admin, but all that is possible only from that of the Server where you are Hosted & it's not a matter at all to know about other sites of the same server as well as to Hack any of the other Forum hosted on that server.
While Security issues aren't there in vBulletin itself, when it comes to 3X then using latest version i.e. 3.8.7 PL-2 may be the Best Idea {even I like to have & work in 3.8.7 :rolleyes:},
So only Security from you can be that of the Securing Config.php file by it's permissions {some times 400 won't let Forum work, in this situation CHMOD 404 will be used also an extra step of decrypting config.php may be taken too} but still there's one more danger that of the Resellers Account :p if Your Reseller or Master Reseller of Your Reseller gets Hacked then any of the Precaution will become useless itself as that Hacker will be able to Access Your CPanel :rolleyes: