Hey everyone. I just wanted to clarify one thing about the c2it hole. It's a front end attack where there are three parties involved ( attacker, c2it.com, and a c2it user ). The attacker send a script to the user, which can then accesses their c2it account. The script, which runs on the c2it site, could then have transfered money or accessed that users account information.
The statement "More ambitious hackers could access entire lists of credit card numbers. " it a little overstated. The "entire list" is only the list of credit card numbers that the attacked user has on their account, not all the credit card numbers in the c2it system.