I've just experienced the same issue.
1. Delete the "" user.
2. Change your salt keys in your wp-config.php file so all users are logged out.
3. Change all your passwords: WP dashboard/cPanel/mysql database
4. Password protect wp-login.php
5. In cpanel or ftp, check your file dates for recent modifications, Especially wp-config.php/index.php/wp-login.php/.htaccess (I found suspect code in the first 3 locations)
6. Consider restoring to a clean backup several days before the first log of the "" user.
Good luck!