[lisper]

> I'm sure they're in the clear personally now

Don't be so sure. If they didn't disclose this to their buyers they are guilty of fraud. The statute of limitations has probably run out (I don't know which state has jurisdiction here), but delayed discovery rules may apply.

[ballenf]

I'm not so sure it's fraud for 2 reasons: 1) how easy it would/should be for the buyer to discover the issue; 2) these transactions generally have very detailed disclaimers / disclosure -- basically making them 'as-is' transactions.

If I were a betting man, I'd bet the buyer knew about the issue and basically didn't care.

[dmix]

Yet security researchers go to prison for iterating the ID numbers in a URL to access private profile pages :/

This is negligent. If they are running banking ecommerce infrastructure and are unable to deal with 101 security risks then it is absolutely negligent. The "it is too complex for the average person" isn't an adequate defense.

The only thing is that there has to be someone who lost something of real value for it to go to court as negligence does it not?

[fulldecent]

This is good thinking. But you need iron tight wording when spelling this stuff out.

In your contact with companies you should say "Failing to fix this issue would be a violation of reasonably assumed security practices as required in LAW..."