The flaw involved a compromised subdomain serving up the malicious images. All a user had to do was view the Gif to allow an attacker to scrape data from their account. If left open, the flaw ...