Spam emails from the club
I am not sure what email system they are using, but its clearly not working.
They are also putting user names and passwords on the email to purchase tickets, this must be for other peoples accounts.
I have a season ticket and my name is Rob for the record.
Comments
-
You must be a member of the clique.0
-
WTF?robroy said:So over the past three weeks I have received about 5 different spam emails from the club. Each time I am called a different name, Paul, David, Daniel.
I am not sure what email system they are using, but its clearly not working.
They are also putting user names and passwords on the email to purchase tickets, this must be for other peoples accounts.
I have a season ticket and my name is Rob for the record.
Can you elaborate a bit on this please?2 -
Same here. How amateurish can you get?
9 -
robroy said:
So over the past three weeks I have received about 5 different spam emails from the club. Each time I am called a different name, Paul, David, Daniel.
I am not sure what email system they are using, but its clearly not working.
They are also putting user names and passwords on the email to purchase tickets, this must be for other peoples accounts.
I have a season ticket and my name is Rob for the record.robroy said:So over the past three weeks I have received about 5 different spam emails from the club. Each time I am called a different name, Paul, David, Daniel.
I am not sure what email system they are using, but its clearly not working.
They are also putting user names and passwords on the email to purchase tickets, this must be for other peoples accounts.
I have a season ticket and my name is Rob for the record.
You've probably confused them by calling yourself Rob & Roy.robroy said:So over the past three weeks I have received about 5 different spam emails from the club. Each time I am called a different name, Paul, David, Daniel.
I am not sure what email system they are using, but its clearly not working.
They are also putting user names and passwords on the email to purchase tickets, this must be for other peoples accounts.
I have a season ticket and my name is Rob for the record.4 -
Good to see that the issues with the contact database that lead to me getting the season ticket renewal forms for two other people a few seasons ago have been utterly ironed out then :-)0
-
It's all Royal Mail's fault.5
-
credit where credit's due...9
-
Why are they sending emails to people with their own username and passwords on? Surely the person knows them and if not you just click the forgot password link. Doesn't this break data protection guidelines?7
-
There's a part of me that wonders whether the Information Commissioner might be interested.5
-
I had Charlton emails for Katie and Holly last week.
If they are now sending complete log-in information to random people they are effectively giving away the personal information held on the intended recipient, because you could then access it, although probably not saved credit card info. Bound to be a breach of the legislation even so.0 -
Sponsored links:
-
Breach of trust anyway.1
-
Erhh... There should be no reason they could even access a plain-text version of ANYONEs password, let alone transmit it via email. This is basic development 101, I'd reprimand even a junior developer if I saw any application whereby user authentication credentials were stored in plain-text. The erroneous emailing of them is completely and utterly unforgivable though, and I would imagine a severe DPA breach.
Second question; if anyone has bought tickets recently, do the payments go via the CAFC site or via a third party payment gateway? If they handle payments directly, then I would imagine storing user login credentials in plain-text may cause a compliance issue with PCI-DSS? (As I think that extends beyond the storage of payment details, and in to the security of any system which handles payments; if anyone here works in compliance perhaps they could shed some light on that?)
Alas, I understand that this isn't actually the club - but most likely their vendor. But still... WTF? For what it's worth, I'm fairly certain I disclosed a vulnerability to Navision (the vendor) around 2 years ago and got nothing back.6 -
Katie? Are they confusing you with Meire again?Airman Brown said:I had Charlton emails for Katie and Holly last week.
If they are now sending complete log-in information to random people they are effectively giving away the personal information held on the intended recipient, because you could then access it, although probably not saved credit card info. Bound to be a breach of the legislation even so.1 -
It is the club.LuckyReds said:Erhh... There should be no reason they could even access a plain-text version of ANYONEs password, let alone transmit it via email. This is basic development 101, I'd reprimand even a junior developer if I saw any application whereby user authentication credentials were stored in plain-text. The erroneous emailing of them is completely and utterly unforgivable though, and I would imagine a severe DPA breach.
Second question; if anyone has bought tickets recently, do the payments go via the CAFC site or via a third party payment gateway? If they handle payments directly, then I would imagine storing user login credentials in plain-text may cause a compliance issue with PCI-DSS? (As I think that extends beyond the storage of payment details, and in to the security of any system which handles payments; if anyone here works in compliance perhaps they could shed some light on that?)
Alas, I understand that this isn't actually the club - but most likely their vendor. But still... WTF?1 -
I have bought tickets recently & i am sure the payments go through a 3rd party payment gateway.LuckyReds said:Erhh... There should be no reason they could even access a plain-text version of ANYONEs password, let alone transmit it via email. This is basic development 101, I'd reprimand even a junior developer if I saw any application whereby user authentication credentials were stored in plain-text. The erroneous emailing of them is completely and utterly unforgivable though, and I would imagine a severe DPA breach.
Second question; if anyone has bought tickets recently, do the payments go via the CAFC site or via a third party payment gateway? If they handle payments directly, then I would imagine storing user login credentials in plain-text may cause a compliance issue with PCI-DSS? (As I think that extends beyond the storage of payment details, and in to the security of any system which handles payments; if anyone here works in compliance perhaps they could shed some light on that?)
Alas, I understand that this isn't actually the club - but most likely their vendor. But still... WTF?1 -
Airman Brown said:
It is the club.LuckyReds said:Erhh... There should be no reason they could even access a plain-text version of ANYONEs password, let alone transmit it via email. This is basic development 101, I'd reprimand even a junior developer if I saw any application whereby user authentication credentials were stored in plain-text. The erroneous emailing of them is completely and utterly unforgivable though, and I would imagine a severe DPA breach.
Second question; if anyone has bought tickets recently, do the payments go via the CAFC site or via a third party payment gateway? If they handle payments directly, then I would imagine storing user login credentials in plain-text may cause a compliance issue with PCI-DSS? (As I think that extends beyond the storage of payment details, and in to the security of any system which handles payments; if anyone here works in compliance perhaps they could shed some light on that?)
Alas, I understand that this isn't actually the club - but most likely their vendor. But still... WTF?
New levels of ineptitude. 1 -
I've now received this email three times in the last five minutes.
1 -
Make that four.Brendan_O_Connell said:I've now received this email three times in the last five minutes.
2 -
Feel a bit sorry for the staff to be honest. Senior managent should have spotted this was an inappropriate thing to do and stopped it. But senior management is out to lunch.7
-
This explains some of my dismay at the fact the emails contain passwords - http://plaintextoffenders.com/about/ - without even beginning to question how the hell they're being sent to the wrong email addresses.
I'm wondering if someones messed up tying in some mail service to the site?1 -
Sponsored links:
-
Bloody hellBrendan_O_Connell said:
Make that four.Brendan_O_Connell said:I've now received this email three times in the last five minutes.
I'm lucky to get any emails about ticketing, it takes hours to get the confirmation email when I've bought a ticket!0 -
Spooky. As soon as I finished reading this thread, the same email popped into my inbox. At least it addressed me by my own name. I don't recognise the user name (6 digits) but it's definitely my normal password. Just weird (possibly also unique).1
-
This is pretty unforgivable. ICO would hand out a 5-6 figure fine for a data breach like this. I'm truly astounded. Concur with LuckyReds that plain text is a massive no no, even in the transmission stage, sending it is ridiculous! Even if they are stored, encrypted, salted and hashed somewhere, the fact they have sent them makes it irrelevant.
I would bet good money that this password is the same in a lot of the 'customers' other internet services.1 -
lol just got two of these in my inbox - both with my right name, but with two different sets of username/passwords...0
-
Nothing here, though I have just received a tax refund of £600.84 GBP. Just let me clink on the completely unsuspicious link...AshBurton said:Spooky. As soon as I finished reading this thread, the same email popped into my inbox. At least it addressed me by my own name. I don't recognise the user name (6 digits) but it's definitely my normal password. Just weird (possibly also unique).
0 -
Thanks for bringing this to our attention Steve.robroy said:So over the past three weeks I have received about 5 different spam emails from the club. Each time I am called a different name, Paul, David, Daniel.
I am not sure what email system they are using, but its clearly not working.
They are also putting user names and passwords on the email to purchase tickets, this must be for other peoples accounts.
I have a season ticket and my name is Rob for the record.
FFS!!!!!! This stuff really isn't that hard0 -
My son got one, he has never had an account or password so it's strange they sent one to him0
-
That's ok, he can log in with someone else's details nowAll_Thaid_Up said:My son got one, he has never had an account or password so it's strange they sent one to him
6 -
But how have they gotten it both spouting off random emails and including UN/PWD in them? And since when do you include BOTH a UN and PWD in an email? Surely you segregate them.LuckyReds said:This explains some of my dismay at the fact the emails contain passwords - http://plaintextoffenders.com/about/ - without even beginning to question how the hell they're being sent to the wrong email addresses.
I'm wondering if someones messed up tying in some mail service to the site?
And yeah the plain text storage of UN/PWD...I mean I get it, they don't think it matters but we're seeing time and again that in the internet of things era you have to secure and salt everything. Sigh.1 -
I'm still waiting to hear back to be honest. Michael Douglas and Christoph waltz' agents are up my arse, but Roland doesn't care4
