I had the same problem, we were hit by the soaksoak.ru campaign and it seems a few files may have been injected to gain access to my database. it’s probable that the same thing happened to you if they know about something like a valid user with a seemingly super random name, they could get that information out of your DB if it or the user controlling it was compromised.
One of the things I tried was creating new database users, trashing privileges to all the current ones and giving it to the new ones instead. I haven’t had the problem since, I’m not good with databases but two days so far and I seem to be in the clear. If you want to try that, remember to update your wp-config file, but if it was your DB and not the user, shuffling permissions won’t do much good. Hopefully somebody helps you soon! Good luck
