When you go to delete the account on a fully patched store you are prevented from doing so by returning invalid form key and the account must be deleted from the Manage Customer Grid.
Which version of Magento 1 are you using? Do you have all patches applied?
Had this same issue. For whatever reason the payment failed and order was not created. Will follow up if it happens. we are fully patched on Magento 1.9 latest version.
We just had the same exact hack on a customer site. We were fully patched up to the latest version. Does anyone have any information about this hack? There seems to be some vulnerability in Magento.
Can you confirm if that value is stored into the database as html entities?
Yes, I've heard a lot about that lately. Can someone tell me more about it? I would like to prevent an attempt to steal my personal information.
I am really sorry, I don't know why my message posted two times(
It's always good to be aware of the different ways that hackers can try to gain access to our data. In this case, it sounds like the attacker was trying to inject a malicious script into your store through the first name field. Luckily, you could prevent the attack by deleting the account from the Manage Customer Grid.