... checked the message queue and I see a myriad of emails being sent ...
What kind of Emails? Contact us?
It's not really a "security breach" if the spammers are using a public page (e.g. Contact Us).
I see two general types of 'spam' that can emanate from nopCommerce:
1) Messages that are only directed to you (e.g. [email protected]), which can come from Contact Us. They are spamming you.
2) Messages that could be directed to other emails but don't really contain spam. I see those only because some of them "bounce back" as undeliverable. An example would be a 'spammer' Registering as a new user with someone else's email address. The other person does not see 'spam' they just see a "welcome" message from your store (although they might consider it spam ;)