This looks like a spam bot command and control center. Highly doubt this is what the author thinks he stumbled into.
Edit: biggest giveaway besides the add user page asking for a session and csrf token is the "failing accounts" and fail logs, which the spammer likely uses to figure out which accounts have been banned from posting or throttled.
This actually makes the post interesting for an entirely different reason. I'd love to see further analysis on the accounts contained in this c&c center. Given that the author has the user names of a number of likely spambot accounts, I imagine one could glean some useful information from this.
I think it's used to manage accounts and could be used for spam. The giveaway is the form asking for csrf token and session id; both required for Django to authenticate and accept a POST request.
Really interesting but not pinterest getting hacked. This is simply an admin interface to spam pinterest.
CSRF token and sessionid is probably needed to create an account directly because by default django has CSRF protection built in and maybe in order to hit the create account page you need to manually grab it.
As I mention there, there was still a minute possibility that even if this didn't belong to Pinterest, it could have been an internal tool for a small team or an employee hack day/side project that got accidentally exposed.
oops. The elastic IP reuse problem is actually pretty interesting/funny because I've seen a few scenarios.
The easiest one is cross site scripting sourced from a recently de-comissioned elastic IP. Its easy, really easy in fact. So much so that its been done more than once (duh).
Its been used for phishing, except the IP wasn't hijacked or misused, it was just reused by someone who was attentive enough to wonder what all that HTTP traffic was about.
Its been used for "shocksiting", where all of a sudden, your favorite AWS hosted website redirects to one of the more famous shocksites, serves an ad and makes them money.
I won't share any of the links here, they're easy to find.
This current pinterest problem is pretty bad, I just checked the date on my machine and its 2013 so nobody with any sense should be storing unencrypted passwords. Even ROT13 would be better than nothing...
Edit: biggest giveaway besides the add user page asking for a session and csrf token is the "failing accounts" and fail logs, which the spammer likely uses to figure out which accounts have been banned from posting or throttled.