Recently, a Reddit post by the user @take_whats_yours has been circulating around the World Wide Web. Through the post, the user revealed his identity as an IT professional. One day, he was using the Golden Screen Cinemas website and proceeded to update his password and managed to do so successfully.

He then confirmed the password change in the email that GSC has sent him. However, when he logged out and tried to re-login with the new password, the password was now invalid. The old password was also invalid.

He then clicked the ‘Forgot Password’ link to reset the password and had expected to receive an email with a link to reset his password to a new one of his own choosing. However, GSC had sent his username and password in plain text over the Internet.

Image Credit: GSC Online

“This means they are storing your password on their database in plain text. Anyone who gains access to this database will have access to your account and all your personal information, including address, phone numbers and credit card details. Better than that, it was the old password they sent, which doesn’t work to log in, which means their databases are not updating correctly when you try to reset your password,” said @take_whats_yours.

He proceeded to address the issue by contacting the customer service department with an email stating:

“I just changed my password. I clicked the confirmation link in the email but now cannot log in with the new password or my old password.

So I clicked forgot password, and you sent me my old password in plain text. This is incredibly dangerous practice. You should be hashing passwords. You should never store passwords in plain text, only a hash. If I select “Forgot Password” you should NEVER send the password in plain text, only a link to renew the password.

Please put me in touch with somebody from your IT security department immediately. I have personal information stored in your database. I cannot believe a company in 2016 is so nonchalant with customer data.”

@take_whats_yours took to Reddit to get opinions from others on the matter. “What do you guys think? Worth kicking up a fuss over this? Or delete the account and let it be?”, he asked.

Another Reddit user offered their opinion: “Wow I don’t even have an account and I’m pissed. Your personal details and credit card information are stored there. You have every right to kick up a fuss.”

Image Credit: globalcool.org

Another user shared, “Another lackadaisical or tidak apa approach. When sh*t happens, they will blame someone else.”

The original poster, @take_whats_yours has since added an edit to the end of his post, “To anyone who thinks this isn’t proof that they aren’t hashing passwords, I’m sorry but you’re wrong. You either don’t understand how cryptographic hashing works (it is a one way function, you cannot “decrypt” a hash), or you have some inexplicable desire to defend this stupidity on the part of GSC. Every security professional on the planet would condemn this. GSC is sending plain text passwords over an insecure medium. This is a disaster waiting to happen.”

Social media users, what are your thoughts on the matter?

Feature Image Credit: Reddit, GSC Online

 
 
Also Read
A Sous Vide Spread From The Swimming Cow (September 2020)

We try the Australian Wagyu MB6 Steak from The Swimming Cow in Damansara Kim, a restaurant specialising in sous vide food, with freshly made pasta.

Mushroom Quiche & Chocolate Chip Cookie From Good Ground Bakery (September 2020)

A review of the awesome onion-filled mushroom quiche and huge chocolate chip cookie from Good Ground Bakery, located in SS17, Subang.

Earl Grey Biscoff Minicake From That Last Slice (September 2020)

A bakery cafe in SS15 known for their cendol roll cake, we review That Last Slice's Earl Grey Biscoff Minicake Pistachio Raspberry Dacquoise.

Biscoff Cookies from bttrbakes (September 2020)

We review the oozy biscoff cookies from btterbakes, a home baker in Klang Valley, who also does designer cakes, biscoff burnt cheesecakes and more.

Premium Baked Mooncakes From Awfully Chocolate (September 2020)

We review the baked mooncakes from Awfully Chocolate which come in 4 flavours: Six Treasures, Golden Custard, White Lotus & Chocolate Brownie.

Pretty Tarts From Poppy Cherry Pop (September 2020)

We review tarts from Poppy Cherry Pop, with flavours such as biscoff, key lime, berries frangipane, gula melaka apple crumble, strawberry cheese and more.

Dessert Boxes & Mini Tea Cakes From llebeurre (September 2020)

We taste and review the red velvet, earl grey and mocha dessert boxes from llebeurre, as well as their black tea and chocolate hazelnut mini tea cakes.

Biscoff Doughnuts From Les Envies (September 2020)

A review of home-based Malaysian baker Les Envies' biscoff doughnut, chocoreo doughnut, and also their stuffed custard doughnuts.