The damage was done by a prankster with a realy bad taste and sick sence of humour.
The source is sadly you, or your organisation, for not using adequate autentification and protection, and that lack allowed the vandal to log in and do it's dirty trick on you.
Now, all that you have left to do, is to restore your site from a backup. I hope that you DO HAVE a backup.
Next, you MUST set a few, idealy, only one, administrative user name with a good, strong password.
Your password MUST contain UPPERCASE, lowercase, number and, idealy, some special characters. Be at least 8 characters long.
It must NOT be easily guessable!
A nice source for that are those captchas you find in so many places. Note the 2 to 4 next ones you encounter and put them one after the other as a single password and add some special characters.
Ask several peoples, as many as you can, to try to guess your password. If no one can guess it, you are heading in the right direction. Now, add a few extra random characters to be sure.
Electro, May 2011