I did get an reply from inside Prosper regarding the prospers.org scrubbing. One of Prosper's big concerns with the .org relates to security. Until I read this, I did not truly appreciate how fanatical they were about personal and security. In retrospect, I should not have been surprised based on my dealings with other financial institutions, but I had not considered this level of detail before. This portion of the e-mail chain is reproduced verbatim with permission:
Prospers.org is a critical security risk to all members.
Prospers.org actively encourages users to map their Prosper screen name to their email. This in itself is a serious security breach.
Prospers.org then requires a password. Given human nature, it is likely that some unsuspecting users would use the same password on Prospers.org as they do on Prosper. This in effect gives whoever runs Prospers.org a growing database of logins in which they could access Prosper members' bank account information, transfer money, place bids, etc.
As if this weren't serious enough, Prospers.org's login is not encrypted. This means every time anyone (including those with admin access) login to Prospers.org their username and password is passed over the internet in clear text allowing any hacker with a packet sniffer to acquire this information.
Based on this, it is highly advised that every member who has ever registered with Prospers.org change their password immediately.
If you think they're too paranoid, please tell me that you're not running IT for my bank.
Update: In addition to posting a lengthy rebuttal to prospers.org's danger to security, Ferrix, the prospers.org maintainer, has confirmed the security state of their forums
In addition to my other comments rebutting PMI's analysis of .org site security, is this nugget (thanks Mark12547)
Our forum software's login form hashes the password on the client browser before sending it to the server. This means that there is no sniffing vulnerability, even without SSL login.
By the way, as of yesterday night we have SSL protection for the login data anyway, too.