This is an issue but I don’t think this issue is what is important?

In order for the hacker to go into your account it still needs to get the first 8 char correctly.

Is this the video that is circulating in WhatsApp?

Shit... I know what’s happening.
Banks do not have that much cash in liquid.

If everyone transfers out their cash to other banks, especially a viral flaw thing like this. Bank will have severe issue.

So let’s hope BNM honour PDIM if it comes to that.

From what I conclude there's a few items going on and all surfacing at the same time.

1. reCaptcha code.
After CIMB migrated to the newer website, it seems there's no lock safeguard when password is wrongly entered.
This allow for brute force of password especially when previously it was fixed it's only 8 letters, no more no less. I sent email to CIMB also fall on deaf ears.

Rather than reCaptcha code, they should have DDOS / brute force detector and block further request or lock account after few times of failed tries.
But they don't want to lock accounts because a lot of people will be calling asking about why their account is being locked.
So DDOS / brute force detector would be a better solution to stop them.

2. The viral video / password incorrect but still able to enter
Issue of shody IT / programming where they truncate 8 characters without special characters only even if you type more than 8 characters.
This is not a critical issue / flaw. It just shows that they don't invest in their IT. The hackers still need to know the first 8 characters correctly to login.
[Related to item 1]

Rather than doing such horrible method, they should just force everyone who login with the old 8 characters to change to the new password criteria.
Then this whole fiasco can be avoided.

3. The change password issue
Also issue of shody IT / programming where old password they don't accept more than 8 characters in checking with actual password.
This is not a critical issue / flaw. It just shows that they don't invest in their IT.
Eg: If your password is Lowyat123, your old password should only put as Lowyat12 during password change.
If you put as Lowyat123 it will fail the check and unable to change the password.

4. CIMB debit card database being leaked
Those CIMB debit cards are now being used with Paypal which doesn't
The easiest way is to set RM 0 limit to the overseas transactions. Or cancel the debit card all together.

This should be the issue that is happening with all the Facebook.

5. SMS is not the safest method for TAC or 2nd authentication. - I just learn about this from this thread as well.
As long they have your phone number it's easy to intercept your SMS.
And how will they get your phone number you say? Thanks to the recent MNP database leak that even my Name, IC and Phone number is leaked to the public.

I would say the only critical urgent flaw now is the debit card database being leaked. ITEM 4.
They should do like Maybank and just ban all transactions to Paypal.
Correct me if I'm wrong or if there's any other points.