Recently, a Reddit post by the user @take_whats_yours has been circulating around the World Wide Web. Through the post, the user revealed his identity as an IT professional. One day, he was using the Golden Screen Cinemas website and proceeded to update his password and managed to do so successfully.
He then confirmed the password change in the email that GSC has sent him. However, when he logged out and tried to re-login with the new password, the password was now invalid. The old password was also invalid.
He then clicked the ‘Forgot Password’ link to reset the password and had expected to receive an email with a link to reset his password to a new one of his own choosing. However, GSC had sent his username and password in plain text over the Internet.
“This means they are storing your password on their database in plain text. Anyone who gains access to this database will have access to your account and all your personal information, including address, phone numbers and credit card details. Better than that, it was the old password they sent, which doesn’t work to log in, which means their databases are not updating correctly when you try to reset your password,” said @take_whats_yours.
He proceeded to address the issue by contacting the customer service department with an email stating:
“I just changed my password. I clicked the confirmation link in the email but now cannot log in with the new password or my old password.
So I clicked forgot password, and you sent me my old password in plain text. This is incredibly dangerous practice. You should be hashing passwords. You should never store passwords in plain text, only a hash. If I select “Forgot Password” you should NEVER send the password in plain text, only a link to renew the password.
Please put me in touch with somebody from your IT security department immediately. I have personal information stored in your database. I cannot believe a company in 2016 is so nonchalant with customer data.”
@take_whats_yours took to Reddit to get opinions from others on the matter. “What do you guys think? Worth kicking up a fuss over this? Or delete the account and let it be?”, he asked.
Another Reddit user offered their opinion: “Wow I don’t even have an account and I’m pissed. Your personal details and credit card information are stored there. You have every right to kick up a fuss.”
Another user shared, “Another lackadaisical or tidak apa approach. When sh*t happens, they will blame someone else.”
The original poster, @take_whats_yours has since added an edit to the end of his post, “To anyone who thinks this isn’t proof that they aren’t hashing passwords, I’m sorry but you’re wrong. You either don’t understand how cryptographic hashing works (it is a one way function, you cannot “decrypt” a hash), or you have some inexplicable desire to defend this stupidity on the part of GSC. Every security professional on the planet would condemn this. GSC is sending plain text passwords over an insecure medium. This is a disaster waiting to happen.”
Social media users, what are your thoughts on the matter?
Feature Image Credit: Reddit, GSC Online
