I logged back in a few minutes later to investigate, and discovered this in the "russian" tab of their chat window:
Code:
z66 : 20:25
“><img src="#" onerror="alert(1)"
Ramirez : 20:26
><img src="#" onerror="alert(1)"
Ramirez : 20:26
doesnt work
kickbit : 20:27
xe2x80x9c><img src="#" onerror="alert(1)"
Ramirez : 20:28
-->
Ramirez : 20:29
->
They have been alerted via twitter by others that noticed the problem too:
https://twitter.com/chrisfarms/status/423913046512128001
https://twitter.com/vvedma/status/423920180750610432
As a professional web developer, this is deeply concerning.
I am not sure that this is necessarily related to people having their accounts cleaned out, but it is certainly something to consider regardless as a "possibility". Anyone who has studied computer information security knows how serious the potential for an XSS attack is, and it certainly should not be taken lightly.
You are free to draw your own conclusions, but personally I withdrew all my BTC from there a while ago.