I believe that only small group of high rollers were targeted or at least users whose IDs where published on leaderboard of daily jackpot, monthly wagering or referral contest.
I believe the vulnerability can't be exploited without a valid user ID and the attackers are definitely getting those IDs from the jackpot leader board. This explains why only a limited number of users were affected by this attack.
If freebitco.in team are aware of this ND didn't take any action, that's bad. If they aren't, that's even worse!
Hard to say, maybe in your case, at some point attackers managed to overwrite deposit address and make it fixed somewhere in website's html code.
The difference between your case and his is that he made a deposit while you didn't. Since you didn't make a deposit, the attacker probably decided to change his tactic by making you believe your account got banned.
Sure, but by "valid ID" they just need any ID of active user with some balance.
On fbc platform user ID is just an ordinal number defining when user registered himself.
So it can be any number from 1 to number_of_all_users (i.e the famous site creator - wetsuit has ID=4 - according to his referral link)
I think attackers can hijack any user session, but by doing it they would attract too much attention.
Lots of accounts are deleted, abandoned, inactive or with too low balance to do anything.
So for these obvious reasons there is no point to attack them all.
Attackers chose only small group of active accounts and that works.
I created account here to share info about it and warn you.
From the very beginning, because of newbie rank I was accused of being troll, spreading fud etc. - that was never my intention.
I'm aware that vast majority of fbc accounts are clean and not affected - sure, but for how long...
Just be careful guys.