Two weeks ago we released WP All Import 4.1.1, a critical security update, and e-mailed all of our customers notifying them of the importance of upgrading immediately.
Just over a week later, three customers that did not upgrade to 4.1.1 reported that they were hacked.
The three hacks all followed the same pattern - a file named cache.php was uploaded to a folder inside /wp-content/uploads/wpallimport/uploads/ by exploiting the security hole in WP All Import that we patched with 4.1.1.
If you haven't upgraded to 4.1.1 (or 3.4.4), you should do so immediately. You should also check all of the subfolders inside /wp-content/uploads/wpallimport/uploads/ for a file named cache.php. If you find one, you were hacked.