If you logged in to your gallery as admin and give somebody a link to your gallery with sessionid attached to it, whoever visited that link could possible get logged in as administrator and do whatever they want.
We have a bug fix for that.
Also, your explanation is not clear. What exactly is being deleted? only the image files or files AND information about them in the database or only information in the database but files stays intact?
if first, or third, then you should ask your host administrator, something doesnt smels right
if second, then its most probably somebody logged in into your 4images as admin.