After some digging, I figured out what was going on. It wasn't a security hole of any sort, just a missing where clause on a database call that would limit the update to just one user. I hadn't noticed the problem before because it only occurs when you're using a custom registration screen (as we're now doing with the captcha to shut down the comment spambots -- over 100 spam accounts were denied yesterday alone). Apparently this bug was fixed in the Geeklog CVS, but never in the release version.
I fixed the code, but if you have an account here, you should visit the above Account Information screen (the link above should work) and re-select your desired "remember me for how long" setting. Sorry for the inconvenience!
-rob.

