Actually, stupid me, I bet a lot of people aren't even using extensions to login, so probably all it takes for a mass hack on NOSTR is one new client who accidentally secures their server improperly, or for an impersonator to hang around for a few months.