[mmcallister]

Do they have an email address for security incidents? What about responsible disclosure documentation? Could be a good indicator on whether they value the security report or not.

I'd personally disclose it to them in the interest of protecting everyone else that uses their platform. You have the power and ability to stop what sounds like a pretty catastrophic leak.

IANAL but you're intentions are clearly in the right place, they'd be uproar if they tried to prosecute you...having said that they might still try

[throwaway3DN]

Unfortunately, they don't have one. Their development and security practices are straight from the 1990s, I don't think they even have someone reponsible for these areas anymore.

I'm at a loss because I've got the feeling that they are no technical people at all. I feel for them because I know the pains of selling online and I don't want to wreck the livelihood of these people.