Re: isn't spending much on security?
Probably but not necessarily.
They could be spending boatloads on security but it is still crap because they aren't using the right concepts or focused on the wrong areas.
Look, Ebay have been compromised for at least 2 months, probably with employee credentials. Once you have a copy of legitimate employee credentials the system is much more vulnerable to escalation attacks. If you've got a month to trawl around, you can probably find the salt and the hash algorithm even if programmers followed the best theoretical practices possible. Hell at that you might just do what they did with Target: install a logger that captures credentials as they are being passed for authentication.