22
veradra
5y

I forgot my password to [SITE]. Of course, I click "forgot password", and enter my email, which I did remember. Fairly routine "ah shit we have a problem" steps.

Now, it takes a second. This is to be expected. So I'm not worried. I then get the email and...

Now, you will notice that I redacted some information, like the company name, email, and my PLAIN TEXT PASSWORD, and my name.

I would like to note that this isn't a small, very local company that's new (even then it'd be unacceptable), but this is a multinational, multimillion dollar company.
How'd someone fuck up THIS badly?

Comments
  • 20
    Why hide the company name? I think everyone has a right to know their data is in danger.

    If you saw an attacker killing a person, would you also hide his face in a video recording? I know I wouldn't
  • 4
    @netikras Dunno tbh
    I guess "I don't wanna be sued"
  • 13
    Report them to plain text offenders.
    Also here. Tell us.
  • 16
  • 7
    @Root Looked into it a bit more
    The company themselves don't seem to really have much to do with it. The system they use (northstarats) seems to be the main issue.

    I can't find pretty much anything on them, but they seem to be somewhat used by some companies around where I live. As far as I can tell, it's just an external HR company that is also in charge of applications for some companies. (The email I got was from 'password@northstarhr.com' or something)
  • 6
    @veradra sued for what? I assume it is a public company and the email template they are sending is not a secret as well. It's not like you found a bug in tgeir system noone has thought about.. Someone in that company deliberately made the decision to store plain text passwords and send them via email. It's not like it was an accident or a whoops moment :)

    and they are sending those emails oh so proudly with the company's name in it.

    They obviously are not trying to hide the fact they store plaintxt pw, why should you?
  • 3
    @netikras dunno

    Looked into it more, and I don't think it's the company themselves responsible for it, as looking into it more makes it a little clear they use an external site (northstarats) to handle applications
  • 6
    @netikras made a dud for a second site that used them, got sent my shitty test password back.
  • 5
    It may be encrypted, which can be restored to plain text and sent out.

    Not great - in the sense a password should never be decipherable. But it "could" be encrypted at rest.
    Would be worth tracking down the platform owners and throwing constructive feedback at them.
  • 4
    @C0D4 I mean yeah, but at any point if a password can be decrypted, there's a problem.
  • 4
    @veradra I'm not disagreeing here. 😂

    Just saying they might be "technically" encrypting it. But then stuffing up allowing it to be returned back to text. Or they are incompetent ass clowns and are just using plain text.
  • 3
    @C0D4 I'd go with the former tbh.

    Will try and get in contact with someone about it, see what happens.
  • 6
    @C0D4 encryptions can be compromised. But one doesn't even need THAT to get OP's password.

    The password is decrypted by them into plain-text and sent over via SMTP. Which means no security is in place :) You don't know what hops the plain-textmail passes through to end up in your mailbox, you never know how many eyes have filtered it before you even got it. And you never know whether/when your email provider gets hacked and all the emails are leaked :)
Add Comment