Harvey Kartel wrote on 06/26/13 at 22:29:40:^ I haven't tested this extensively yet but odd things might be possible if you are logged into the same account in multiple browser windows (or even multiple computers) and delete the account in one of them, then try to do something with it in one of the other windows. That's the only way I can think of (short of an admin making modifications) where you could effectively have an "undead" account. (Which you would of course lose entirely if you closed all the windows in which you were logged in)
I actually made and deleted an alternate account to try and test this theory (something I was dying to do), unfortunately it proved incorrect. You get an error message about "form spoofing" if you attempt to post using an account that was just deleted in a different window. Not sure exatly what form spoofing means but I assume it's a security feature YaBB uses to prevent potential hacking of other people's accounts. Otherwise you could possibly vandalize (or delete) someone else's account just by changing the right characters in a URL. (though I have already known for a while that these alphanumeric URLs are dynamic anyway, as an added layer of protection... even though an old URL you've been assigned still seems to work even after you've been assigned a new one)
So what Cromwell managed to do is still eluding me, unless an admin simply gave him that ability.
EDIT: Speaking of security, AOL seems to use dynamic URLs as well, but if you try to, say, cancel an AOL account that you aren't logged in to by copy-pasting an old cancellation URL from it, you'll get the same message saying the account will be canceled, but trying to do anything else with the account will instead give you a message saying that "unusual activity" was detected on it, and you can't log back into it. So apparently AOL cannot completely stop you from marking another person's account as pending cancel (unless I missed something else) but that person will be locked out of the account when they try to log into it, and told to contact AOL. They might even punish the person who tried to hack, by tracking the IP address, but in my case the "victim" account in this experiment was made with the same computer.
I know that contacting AOL can take an account off of the pending-cancel status but you can also just wait and restore it when it's actually cancelled at the end of the billing period. But I just gave cancellation as an example, as someone may use the same method to try to send or receive e-mails with another person's account, potentially leading to identity theft. So if Renzetti's AOL account actually got hacked, via URL modification, then he should be locked out of it due to "unusual activity" and be told to contact AOL, unless someone actually guessed his password, in which case AOL thinks it's just him logging in from somewhere away from home. The hacker would not be able to cancel or make changes to Renzetti's account this way though, unless he also knew the answer to Renzetti's security question.
Yep, I made an alternate AOL account (actually several) so I could make an alternate forum account, why not look for bugs on both......Sorry if I'm starting to sound like I'm turning into an amateur hacker here. But if I do find any kind of real security fault on any site, I'll report it, not exploit it. I only test on accounts I've made myself, anyway. I'll be a good hacker

(and I hear that the U.S. government employs those kinds, and probably pays them a good chuck of change!)
I'm kinda scared to try anything like this with GameFAQs though, I have a 12-year-old account there and I know for a fact that they
will track your IP and are very good about punishing people who try to mess around like this.