6-year-old Moodle flaw exposed millions to account takeover attack