Hi acurran,
Sorry for the inconvinience.
There was a vulnerability in version 3.0.2 that was exploited for a brief period of time and patched as soon as it became know in February (more info). It's likely the breach occurred back then, and the malware code remained in the database since then, or it might have occurred recently if the plugin was not up to date.
Make sure to remove the malware if you haven't already (if unsure, you can use the reset settings button to clean it), and check all instances of the plugin on other WordPress installations are clean and up to date.