Is there any dormant account policy?
No, there isn't.
I suggest those dormant accounts receive email notification like a warning that failure to respond or atleast login will cause their accounts locked or create a tag for those account So when they're login again they can easily be identified.
We're looking to see what we can do to stop this, but it isn't easy. Especially since we allow logins from tor.
But was access gained? Were the accounts actually compromised, or are the accounts simple extra accounts from established members?
Yes, access was gained to these accounts and was used to get ripples. Some of them appear to have been made by bots, but others used to be someone's main account.