Originally Posted by Yair
what's the point in hijacking an account fr this purpose? is it that hard to generate an account? all that hassle because of the CAPTCHA?
Because your spam will appear to come from a legitimate user. If you're really lucky, it will be one with an extensive posting history. Admins probably won't be so quick to ban accounts for those people like they would with new users; instead, they'll do what Jason (and I, when this happened at pocketnow) did and change the passwords (I also E-mailed the few users I noticed to let them know what happened).
For example, one user at pocketnow who seemed to fall into this was the CEO of a well-known gadget clothing company. That one really surprised me. I wasn't about to ban or delete his account, though.
Given that this happened over four months ago, I hope there's now code in place to prevent passwords that are the same as user names. It seems like it should be a very simple change.
For what it's worth, I just tested this on my phpBB 2.x forum
and nothing prevents user IDs and passwords from being identical, either. (I haven't tested phpBB 3.x.)