After some back-and-forth with Bebo support, I've managed to regain control of my account.
I'm wondering if this is a bot or a targeted attack. I'm the developer of Warbook, so I imagine there might be one or two script kiddies that might think it cool to get into my account.
Current evidence leans towards a bot:
On June 14, 2009, I got an email from Bebo. My registered email address had been changed to firstname.lastname@example.org. This one came at 5:41 PM PST.
I caught this pretty early (within 2 hours of it happening), logged in and changed my email address back and changed the password.
Then on July 12, 2009, I got another email from Bebo. My registered email address had been changed to email@example.com. This one came at 5:33 AM PST.
At 9:39 AM PST, I got another email from Bebo, thanking me for verifying my email address. Oddly enough, this thanks-for-verifying came to my original account email.
When I tried to log on, I found my password had been changed. Contacted Bebo support, and after I replied to their copy-pasted-"how to change your password" message, they replied with:
Thank you for your email and for using Bebo. In order to confirm you are the owner of the profile in question, please send the following details:
* CURRENT USERNAME for the account
* Your FULL NAME
* Your FULL DATE OF BIRTH
* Your NEW EMAIL ADDRESS (it cannot be an email address already registered on Bebo).
Anyways, I have control of the account again, but I don't think I'm going to fill in any of my information. Other than a profile pic, a school, and fixing my date of birth, it can remain blank.
I also asked Bebo if they could add a note to my account, requiring all future email changes to be accompanied by a challenge-response. (ie, they ask me a question that only I would know, I respond with the correct answer). Ideally, this would be built into the system (hint, hint, Bebo engineer. I know you have an office in San Fran. Don't make me write a letter.), so email changing isn't as easy as providing bits of information that's known everywhere. Although I'm also suspecting there might be some sort of XSS attack - I've never bothered deleting my cookies, so there might be a way to trigger an email change if I browse across an evil page, although then the email change shouldn't have happened at 5 AM...
Either way, here's to hoping it doesn't happen again. If it does, I may be deleting my bebo account for good.
Also, the very odd thing is, I have yet to see any malicious activity, other than the deletion of all of my information and the removal of my friends. I haven't received reports of my friends receiving odd communications from my bebo account while it was hijacked either, leading me to wonder if it's actually a bot exploiting some loophole instead of a targeted attack.