Recently, a Reddit post by the user @take_whats_yours has been circulating around the World Wide Web. Through the post, the user revealed his identity as an IT professional. One day, he was using the Golden Screen Cinemas website and proceeded to update his password and managed to do so successfully.

He then confirmed the password change in the email that GSC has sent him. However, when he logged out and tried to re-login with the new password, the password was now invalid. The old password was also invalid.

He then clicked the ‘Forgot Password’ link to reset the password and had expected to receive an email with a link to reset his password to a new one of his own choosing. However, GSC had sent his username and password in plain text over the Internet.

Image Credit: GSC Online

“This means they are storing your password on their database in plain text. Anyone who gains access to this database will have access to your account and all your personal information, including address, phone numbers and credit card details. Better than that, it was the old password they sent, which doesn’t work to log in, which means their databases are not updating correctly when you try to reset your password,” said @take_whats_yours.

He proceeded to address the issue by contacting the customer service department with an email stating:

“I just changed my password. I clicked the confirmation link in the email but now cannot log in with the new password or my old password.

So I clicked forgot password, and you sent me my old password in plain text. This is incredibly dangerous practice. You should be hashing passwords. You should never store passwords in plain text, only a hash. If I select “Forgot Password” you should NEVER send the password in plain text, only a link to renew the password.

Please put me in touch with somebody from your IT security department immediately. I have personal information stored in your database. I cannot believe a company in 2016 is so nonchalant with customer data.”

@take_whats_yours took to Reddit to get opinions from others on the matter. “What do you guys think? Worth kicking up a fuss over this? Or delete the account and let it be?”, he asked.

Another Reddit user offered their opinion: “Wow I don’t even have an account and I’m pissed. Your personal details and credit card information are stored there. You have every right to kick up a fuss.”

Image Credit: globalcool.org

Another user shared, “Another lackadaisical or tidak apa approach. When sh*t happens, they will blame someone else.”

The original poster, @take_whats_yours has since added an edit to the end of his post, “To anyone who thinks this isn’t proof that they aren’t hashing passwords, I’m sorry but you’re wrong. You either don’t understand how cryptographic hashing works (it is a one way function, you cannot “decrypt” a hash), or you have some inexplicable desire to defend this stupidity on the part of GSC. Every security professional on the planet would condemn this. GSC is sending plain text passwords over an insecure medium. This is a disaster waiting to happen.”

Social media users, what are your thoughts on the matter?

Feature Image Credit: Reddit, GSC Online

 
 
Also Read
5 Awww Stories We Found On Social Media That Gives Us Hope For The “New Normal” Raya

Spreading hate is easy via social media. Instead, we focus on looking for kind stories that Malaysians have done during the MCO and the COVID-19 period.

There’s An Event To Educate M’sians About #MeToo On Nov 30, Here’s How To Get Involved

On November 30th, there will be a half-day educational event held in Bangsar about the #MeToo movement and sexual harassment.

GrabFood Now Delivers Till 2am So You Can Get Cheese Naan Without Leaving Your Bed

GrabFood extended their delivery hours and now serves till 2am daily, in the Kuala Lumpur and Klang Valley area.

We Tried Secret Recipe’s New Boba Drinks So You Don’t Have To

We review Secret Recipe Malaysia's boba pearls bubble milk tea drink series, including the Boba Brown Sugar Milk and Boba Brown Sugar Milk Tea.

7 Things KAKIGŌRI Did Right With Their Recent Rebranding

Japanese shaved ice dessert brand, Kakigori Malaysia, has announced that they have rebranded and officially changed their name to Kakiyuki.

Texas Chicken Officially Launched Their First 24-Hour Drive Thru In Klang Valley!

Texas Chicken Malaysia launched their first 24-hour drive thru in Klang Valley at Sunway Mentari, Bandar Sunway in June 2019.

Differently-Abled M’sians Can Now Enjoy Digi Mobile Plans As Low As RM28/Month

Digi introduces cheap mobile plans as low as RM29/month for Malaysian persons with difficulties (OKU) to support the differently-abled community.

In My Quest For Love, I Turned To Facebook Dating—It’s Better Than Tinder Already

DiscoverKL reviews Facebook Dating, a new in-app dating feature app in Malaysia, as well as how it compares against Tinder and Coffee Meets Bagel.