So over the past three weeks I have received about 5 different spam emails from the club. Each time I am called a different name, Paul, David, Daniel.
I am not sure what email system they are using, but its clearly not working.
They are also putting user names and passwords on the email to purchase tickets, this must be for other peoples accounts.
I have a season ticket and my name is Rob for the record.
10
Comments
Can you elaborate a bit on this please?
If they are now sending complete log-in information to random people they are effectively giving away the personal information held on the intended recipient, because you could then access it, although probably not saved credit card info. Bound to be a breach of the legislation even so.
Second question; if anyone has bought tickets recently, do the payments go via the CAFC site or via a third party payment gateway? If they handle payments directly, then I would imagine storing user login credentials in plain-text may cause a compliance issue with PCI-DSS? (As I think that extends beyond the storage of payment details, and in to the security of any system which handles payments; if anyone here works in compliance perhaps they could shed some light on that?)
Alas, I understand that this isn't actually the club - but most likely their vendor. But still... WTF? For what it's worth, I'm fairly certain I disclosed a vulnerability to Navision (the vendor) around 2 years ago and got nothing back.
I'm wondering if someones messed up tying in some mail service to the site?
I'm lucky to get any emails about ticketing, it takes hours to get the confirmation email when I've bought a ticket!
I would bet good money that this password is the same in a lot of the 'customers' other internet services.
FFS!!!!!! This stuff really isn't that hard
And yeah the plain text storage of UN/PWD...I mean I get it, they don't think it matters but we're seeing time and again that in the internet of things era you have to secure and salt everything. Sigh.