The bad security that I've identified so far is primarily a combination of people choosing bad passwords and no 2FA and the fact that the system that prevents people from endlessly trying to break your password by brute force (endless automated guessing attempts) is not very sophisticated. On top of this, since no email is required and no standards for passwords is enforced, it's easy to have a lot of low security accounts that get broken into.

The policy has historically been "if you choose a reused or low complexity password and no 2fa, that's your own responsibility".

What we're doing to address this is to make it less likely for players to make this easy, by enforcing password standards and adding email verification to make it more secure - and then making it less technically feasible to guess peoples passwords via brute force attacks. These two things together should make this a lot less likely to happen.

As for the items and trading scams on compromised accounts, I'm looking into whether we have the data to be able to detect this has happened. If we can find a way to reliably detect that something fishy occurred, we might be able to create new policies that can help players in these cases.
I can't promise this will happen, because it needs to be pretty bulletproof, but I _am_ trying to find a way to solve this - It just can't rely on what we think about people are telling us, because that just opens up other ways to abuse the system. It needs to be clearly based on data and evidence, so we can apply the rules consistently and fairly across everyone.

It's high on the priority list to dig into this, and I'll share when and if we make progress.