My guess is that they aren't being created from JFBConnect at all. Are you sure the registrations were made using social login credentials? We've never heard of a spam accounts being created using the social login functionality. We do have some security checks and, obviously, the social networks are usually aggressive about closing down fake/spammy accounts.
I'd check the Usermap area to ensure that the registrations are actually linked to a social network. If not, it means they registered using Joomla (or another extension).
If you don't have one already, we'd recommend a spam registration plugin. These do more than just use a captcha (which is easily foiled) and actually look up the user's IP address and email in an online database of known spammers. We use
SpamBotCheck
. It's not perfect as some spammers get through, but it manages to nix about 500+ fake registrations *per day* on this site.
Unfortunately, spam accounts are a fact of life, and it's something that happens eventually when your site gets a little more visibility.. you can almost take it as a good thing.. though one more thing to contend with on a website.
I hope that helps explain. Of course, if you do find that the registrations were through JFBConnect/social networks, we'll gladly help investigate further.
Thanks,
Alex