I have Events+ installed, but haven't really used it as it didn't work as well as MarketPress to manage my workshops.
Just a few minutes ago, while looking around at some unrelated things in the back end, I found a problem. Apparently, on the main site of my multisite, someone ELSE had created 12 different events in this plugin, all filled with spam links. ALL of them were created under usernames of people who had set up subdomain sites, but never finished the process by paying.
In other words, somehow just the process of getting username/password access to the site (I do not offer free sites), gave them access to the events creation area. They were also all published.