The query used to delete users in logintoboggan_cron() is incorrect, and will delete ALL users who have not yet clicked the activation link.
The existing query uses $user->access (which is 0 for a new user) in its query instead of user->created. Since user->access is 0, and the query decides to delete all users whose role is the pre-validated role where user->access < the time calculated, all users unlucky enough to get caught by cron will be deleted.
The attached patch changes to use $user->created for the query instead of $user->access.
In honor of my user who was deleted 2 seconds after her account was created :-)