Login and force op hacks on AotBT Server

[iPodHacks142]

So lately I've been getting a lot of people on my server who are somehow able to login using any username, op their own accounts even though worldguard prevents the in-game op command and spawn in items that should be banned and confiscated when in their inventory. I have searched for many hours trying to find out how this is done so that I can find a way to patch it but haven't found anything useful. The latest thing to happen was someone who was able to spawn in tornado spawners even though they are banned and was able to grief my spawn using them.

If anyone knows how this is done or has a fix for it then please let me know. I would be very grateful. 

My server is running AotBT version 1.0.12a with a mcpc plus server jar.

[HalestormXV]

My thoughts? This is pure speculation but well someone got a hold of your password (more likely) OR that same exploit that was found in 2013 is back with the Mojang Authentication servers if you migrated your account. Although that was fixed supposedly and If you are running an AoTBT McPC Plus server maybe try finding some secondary authentication plugin?

[iPodHacks142]

I do have an in-game login system for staff because of this but it doesn't seem to have stopped it being possible. And the fact that they could log in using any name (one of the logs said notch as well as others) tells me its something else.