Spam emails from the club

robroy

So over the past three weeks I have received about 5 different spam emails from the club. Each time I am called a different name, Paul, David, Daniel.

I am not sure what email system they are using, but its clearly not working.

They are also putting user names and passwords on the email to purchase tickets, this must be for other peoples accounts.

I have a season ticket and my name is Rob for the record.

ShootersHillGuru

You must be a member of the clique.

LuckyReds

robroy said:

So over the past three weeks I have received about 5 different spam emails from the club. Each time I am called a different name, Paul, David, Daniel.

I am not sure what email system they are using, but its clearly not working.

They are also putting user names and passwords on the email to purchase tickets, this must be for other peoples accounts.

I have a season ticket and my name is Rob for the record.

WTF?

Can you elaborate a bit on this please?

Brendan_O_Connell

Same here. How amateurish can you get?

happyvalley

robroy said:

So over the past three weeks I have received about 5 different spam emails from the club. Each time I am called a different name, Paul, David, Daniel.

I am not sure what email system they are using, but its clearly not working.

They are also putting user names and passwords on the email to purchase tickets, this must be for other peoples accounts.

I have a season ticket and my name is Rob for the record.

robroy said:

So over the past three weeks I have received about 5 different spam emails from the club. Each time I am called a different name, Paul, David, Daniel.

I am not sure what email system they are using, but its clearly not working.

They are also putting user names and passwords on the email to purchase tickets, this must be for other peoples accounts.

I have a season ticket and my name is Rob for the record.

robroy said:

So over the past three weeks I have received about 5 different spam emails from the club. Each time I am called a different name, Paul, David, Daniel.

I am not sure what email system they are using, but its clearly not working.

They are also putting user names and passwords on the email to purchase tickets, this must be for other peoples accounts.

I have a season ticket and my name is Rob for the record.

You've probably confused them by calling yourself Rob & Roy.

aliwibble

Good to see that the issues with the contact database that lead to me getting the season ticket renewal forms for two other people a few seasons ago have been utterly ironed out then :-)

clive

It's all Royal Mail's fault.

ateamofcorygibbs

credit where credit's due...

Nug

Why are they sending emails to people with their own username and passwords on? Surely the person knows them and if not you just click the forgot password link. Doesn't this break data protection guidelines?

NornIrishAddick

There's a part of me that wonders whether the Information Commissioner might be interested.

Airman Brown

I had Charlton emails for Katie and Holly last week.

If they are now sending complete log-in information to random people they are effectively giving away the personal information held on the intended recipient, because you could then access it, although probably not saved credit card info. Bound to be a breach of the legislation even so.

iainment

Breach of trust anyway.

LuckyReds

Erhh... There should be no reason they could even access a plain-text version of ANYONEs password, let alone transmit it via email. This is basic development 101, I'd reprimand even a junior developer if I saw any application whereby user authentication credentials were stored in plain-text. The erroneous emailing of them is completely and utterly unforgivable though, and I would imagine a severe DPA breach.

Second question; if anyone has bought tickets recently, do the payments go via the CAFC site or via a third party payment gateway? If they handle payments directly, then I would imagine storing user login credentials in plain-text may cause a compliance issue with PCI-DSS? (As I think that extends beyond the storage of payment details, and in to the security of any system which handles payments; if anyone here works in compliance perhaps they could shed some light on that?)

Alas, I understand that this isn't actually the club - but most likely their vendor. But still... WTF? For what it's worth, I'm fairly certain I disclosed a vulnerability to Navision (the vendor) around 2 years ago and got nothing back.

Brendan_O_Connell

Airman Brown said:

I had Charlton emails for Katie and Holly last week.

If they are now sending complete log-in information to random people they are effectively giving away the personal information held on the intended recipient, because you could then access it, although probably not saved credit card info. Bound to be a breach of the legislation even so.

Katie? Are they confusing you with Meire again?

Airman Brown

LuckyReds said:

Erhh... There should be no reason they could even access a plain-text version of ANYONEs password, let alone transmit it via email. This is basic development 101, I'd reprimand even a junior developer if I saw any application whereby user authentication credentials were stored in plain-text. The erroneous emailing of them is completely and utterly unforgivable though, and I would imagine a severe DPA breach.

Second question; if anyone has bought tickets recently, do the payments go via the CAFC site or via a third party payment gateway? If they handle payments directly, then I would imagine storing user login credentials in plain-text may cause a compliance issue with PCI-DSS? (As I think that extends beyond the storage of payment details, and in to the security of any system which handles payments; if anyone here works in compliance perhaps they could shed some light on that?)

Alas, I understand that this isn't actually the club - but most likely their vendor. But still... WTF?

It is the club.

clive

LuckyReds said:

Erhh... There should be no reason they could even access a plain-text version of ANYONEs password, let alone transmit it via email. This is basic development 101, I'd reprimand even a junior developer if I saw any application whereby user authentication credentials were stored in plain-text. The erroneous emailing of them is completely and utterly unforgivable though, and I would imagine a severe DPA breach.

Second question; if anyone has bought tickets recently, do the payments go via the CAFC site or via a third party payment gateway? If they handle payments directly, then I would imagine storing user login credentials in plain-text may cause a compliance issue with PCI-DSS? (As I think that extends beyond the storage of payment details, and in to the security of any system which handles payments; if anyone here works in compliance perhaps they could shed some light on that?)

Alas, I understand that this isn't actually the club - but most likely their vendor. But still... WTF?

I have bought tickets recently & i am sure the payments go through a 3rd party payment gateway.

LuckyReds

Airman Brown said:

LuckyReds said:

Erhh... There should be no reason they could even access a plain-text version of ANYONEs password, let alone transmit it via email. This is basic development 101, I'd reprimand even a junior developer if I saw any application whereby user authentication credentials were stored in plain-text. The erroneous emailing of them is completely and utterly unforgivable though, and I would imagine a severe DPA breach.

Second question; if anyone has bought tickets recently, do the payments go via the CAFC site or via a third party payment gateway? If they handle payments directly, then I would imagine storing user login credentials in plain-text may cause a compliance issue with PCI-DSS? (As I think that extends beyond the storage of payment details, and in to the security of any system which handles payments; if anyone here works in compliance perhaps they could shed some light on that?)

Alas, I understand that this isn't actually the club - but most likely their vendor. But still... WTF?

It is the club.

New levels of ineptitude.

Brendan_O_Connell

I've now received this email three times in the last five minutes.

Brendan_O_Connell

Brendan_O_Connell said:

I've now received this email three times in the last five minutes.

Make that four.

Airman Brown

Feel a bit sorry for the staff to be honest. Senior managent should have spotted this was an inappropriate thing to do and stopped it. But senior management is out to lunch.

LuckyReds

This explains some of my dismay at the fact the emails contain passwords - http://plaintextoffenders.com/about/ - without even beginning to question how the hell they're being sent to the wrong email addresses.

I'm wondering if someones messed up tying in some mail service to the site?

killerandflash

Brendan_O_Connell said:

Brendan_O_Connell said:

I've now received this email three times in the last five minutes.

Make that four.

Bloody hell

I'm lucky to get any emails about ticketing, it takes hours to get the confirmation email when I've bought a ticket!

AshBurton

Spooky. As soon as I finished reading this thread, the same email popped into my inbox. At least it addressed me by my own name. I don't recognise the user name (6 digits) but it's definitely my normal password. Just weird (possibly also unique).

MarkyE83

This is pretty unforgivable. ICO would hand out a 5-6 figure fine for a data breach like this. I'm truly astounded. Concur with LuckyReds that plain text is a massive no no, even in the transmission stage, sending it is ridiculous! Even if they are stored, encrypted, salted and hashed somewhere, the fact they have sent them makes it irrelevant.

I would bet good money that this password is the same in a lot of the 'customers' other internet services.

ateamofcorygibbs

lol just got two of these in my inbox - both with my right name, but with two different sets of username/passwords...

killerandflash

AshBurton said:

Spooky. As soon as I finished reading this thread, the same email popped into my inbox. At least it addressed me by my own name. I don't recognise the user name (6 digits) but it's definitely my normal password. Just weird (possibly also unique).

Nothing here, though I have just received a tax refund of £600.84 GBP. Just let me clink on the completely unsuspicious link...

SDAddick

robroy said:

So over the past three weeks I have received about 5 different spam emails from the club. Each time I am called a different name, Paul, David, Daniel.

I am not sure what email system they are using, but its clearly not working.

They are also putting user names and passwords on the email to purchase tickets, this must be for other peoples accounts.

I have a season ticket and my name is Rob for the record.

Thanks for bringing this to our attention Steve.

FFS!!!!!! This stuff really isn't that hard

All_Thaid_Up

My son got one, he has never had an account or password so it's strange they sent one to him

AshBurton

All_Thaid_Up said:

My son got one, he has never had an account or password so it's strange they sent one to him

That's ok, he can log in with someone else's details now

SDAddick

LuckyReds said:

This explains some of my dismay at the fact the emails contain passwords - http://plaintextoffenders.com/about/ - without even beginning to question how the hell they're being sent to the wrong email addresses.

I'm wondering if someones messed up tying in some mail service to the site?

But how have they gotten it both spouting off random emails and including UN/PWD in them? And since when do you include BOTH a UN and PWD in an email? Surely you segregate them.

And yeah the plain text storage of UN/PWD...I mean I get it, they don't think it matters but we're seeing time and again that in the internet of things era you have to secure and salt everything. Sigh.

cabbles

I'm still waiting to hear back to be honest. Michael Douglas and Christoph waltz' agents are up my arse, but Roland doesn't care