Once a software vulnerability is made public and widely available people will set up bots to scan through sites looking for known insecure versions and compromising them / injecting a backdoor / etc on the off-chance they find something valuable.
Looking at the HTTP response headers, the site is running Liferay CE 6.2 GA2 (6.2.1). You can find a list of known vulnerabilities on the Liferay site here:
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/categories/113763930?p_r_p_categoryId=113763930
A bunch of cross-site scripting issues, which can range from fairly minor (think: adding a script to the page that says "Daniel Ingram is a doodoohead"... whether that's minor or not depends on who you are I guess) to pretty annoying (think: adding a bitcoin miner in the background of the page, or redirecting you to a phishing site). The attacker generally won't gain access to the *server*, but may be able to run arbritary scripts in the user's browser. Thankfully if you're using a modern browser there are plenty of security features to stop them from doing anything too bad.
However I would recommend everyone download and use the NoScript browser extension for now and enable it for this site in case any dodgy code has been injected into the site.
There is also a known RCE (remote command execution) exploit for Liferay < 6.2.5, though it seems the details aren't completely public so I don't know if this is a risk, or if so, how much of a risk it is:
https://www.cvedetails.com/cve/CVE-2019-16891/
This kind of exploit can allow an attacker to run whatever program they like on the actual server hardware, which could be a problem and may compromise database info. Passwords should be hashed with, according to the Liferay docs, "PBKDF2--WithHmac--SHA1/160/128000" which basically means passwords are encrypted by a random function run an arbritrary number of times, and encoded using a specified SHA algorithm. However, if that algorithm is SHA1, that has known weaknesses and its use is strongly discouraged these days. Additionally, a note on the Liferay docs says that if a site is upgraded from a prior version to 6.2, they may enable "legacy" password support, which likely uses plain SHA1, which would be even weaker.
Basically in the event that an attacker gained database access they wouldn't get your passwords, but may get hashed versions which may be possible to either brute force (less likely) or look up in a table of known password hashes (if it's SHA1, and you're using a password that can be found in such a table, either using a common word or a password that's previously been leaked, that's quite likely).
Without more info from the hosting provider and/or Daniel's tech team it's hard to say what the actual risk is, though they may not want to disclose that information until it's secured to prevent copycat attacks.
Priceless! 
