I've got 3 emails this afternoon. Really annoying.
Username was just a random 6 figure number but it was different on each email, same goes for the passwords.
If they're not doing this in-house why can't they just pay someone enough to do it properly. I've used online booking sites for loads and loads of different places and I've never come across one as bad as Charltons.
This explains some of my dismay at the fact the emails contain passwords - http://plaintextoffenders.com/about/ - without even beginning to question how the hell they're being sent to the wrong email addresses.
I'm wondering if someones messed up tying in some mail service to the site?
But how have they gotten it both spouting off random emails and including UN/PWD in them? And since when do you include BOTH a UN and PWD in an email? Surely you segregate them.
And yeah the plain text storage of UN/PWD...I mean I get it, they don't think it matters but we're seeing time and again that in the internet of things era you have to secure and salt everything. Sigh.
That's what's confusing me, and makes me think someone has buggered up integrating a mass mailing service. I presume the CMS (which the media team apparently hate) doesn't support mass mailing, but it's essential to the marketing department at CAFC - so they've got some form of integration going on.
Purely speculation, but this is what I'd kinda expect if there was an issue with an integration. If it was somehow it's pulling in account details from the DB in the CMS... but of course, the ID's don't match in both the systems. So the email address belonging to #123 in the marketing app, is retrieving the UN/PWD belonging to #123 in the CMS: which is totes different. Once again, pure speculation.
The plain-text UN/PWD is a real bugger though, even if the UN is simply a 6 digit number - I'm sure when you log in you'll find more information. Potentially even email addresses which share the same password and.. woila; you've got their emails you've probably got everything.
They got my name right on both emails but there were different usernames and passwords each time. And to my knowledge I don't even have a username or password.
I just got an email. Don't recognise the user number though as my old con number but I lost that soon after I received the card as my purse was stolen. I'll try to log on tomorrow but slightly concerned to notice that we're playing Scunthorpe at 07.45 am!!!!
Feel a bit sorry for the staff to be honest. Senior managent should have spotted this was an inappropriate thing to do and stopped it. But senior management is out to lunch.
More like out of their depth, but either scenario is scary!
This indicates a huge cock-up. First off you should not send usernames AND passwords in an unsolicted email. It's just not secure enough.
Secondly, the fact that incorrect data has been sent indicates a fairly basic data extract went horribly wrong. Before you send out an email of this type you should have previewed the mails generated and checked a small percentage of them manually against the database. At least that's the kind of thing I do to ensure that it hasn't gone utterly wrong when I'm extracting data for anything of importance. Saves egg on face.
but slightly concerned to notice that we're playing Scunthorpe at 07.45 am!!!!
The old breakfast kick off time, that'll be a ruse to throw that protesting lot from CARD off the scent. Everyone knows Katie will miss that game as well unless she overnights it at the "Anti"
If you've got an account on the CAFC tickets website and you've used the same password on the CAFC site as other websites, you'll now need to change your passwords elsewhere to ensure the security of your personal information.
Comments
Username was just a random 6 figure number but it was different on each email, same goes for the passwords.
If they're not doing this in-house why can't they just pay someone enough to do it properly. I've used online booking sites for loads and loads of different places and I've never come across one as bad as Charltons.
Purely speculation, but this is what I'd kinda expect if there was an issue with an integration. If it was somehow it's pulling in account details from the DB in the CMS... but of course, the ID's don't match in both the systems. So the email address belonging to #123 in the marketing app, is retrieving the UN/PWD belonging to #123 in the CMS: which is totes different. Once again, pure speculation.
The plain-text UN/PWD is a real bugger though, even if the UN is simply a 6 digit number - I'm sure when you log in you'll find more information. Potentially even email addresses which share the same password and.. woila; you've got their emails you've probably got everything.
It's addressed to me but I'm not happy that it has my password, that I use for almost everything, written in plain text.
That is a big no no and asking for disaster.
I don't recognise either password though.
I'd advise changing them all ASAP.
The ticket system is a mess of usernames, but I usually log in with my email address, and the auto generated password the club sent me
I've just got the email, which has my CON number and a different system generated password.
Both work and take me to my account
Secondly, the fact that incorrect data has been sent indicates a fairly basic data extract went horribly wrong. Before you send out an email of this type you should have previewed the mails generated and checked a small percentage of them manually against the database. At least that's the kind of thing I do to ensure that it hasn't gone utterly wrong when I'm extracting data for anything of importance. Saves egg on face.
Like many others I was amazed it had my username and password in it together.
Ridiculous.