There is a security hole that allows parts of a read-protected ($wgGroupPermissions['*']['read'] = false;) wiki's content to be accessed by anyone. Through the RSS/Atom feeds of Special:Recentchanges. The feed isn't password protected.
The feed's URL for any wiki can be figured out easily by anyone with a couple of days' experience with MediaWiki.
A temporary workaround for this problem is to set the feed limit to 0, as suggested by Hojjat in MediaWiki-General.
I think you should put up an alert on the front page (mediawiki.org), and warn people of this problem, and suggest the temporary solution.