Re: Whoever did what
Krebs's article explains. It sounds weird. Weird as in "what were they on?". The sign-up process resulted in a one-time code emailed to the new user's email address. So far so 2FA. But the email seems to have been generated client-side and sent to the server with a POST request which included as parameters not just the email address, but also the subject and body so by feeding POST requests to the server the server would send out whatever emails were requested.
No weak passwords required: no passwords required at all. Apparently IE was required, however. I suppose it stopped those wicked Linux users getting access.
Biting the hand that feeds IT
