Spam emails from the club
Comments
-
Why are they sending out user names and passwords in the same email? That's amateurish.
Do the details log you in to your account? Have the club confirmed they're sending them out or is it a scam to get your bank details?1 -
I've just received 4 emails advertising the Football for a Fiver match.
2 are for me & Mr F & 1 each for our grandkids who had £50 season tickets a couple of years ago.
Each email quotes our correct CON numbers stating they are our user names & a further 8 letter/number code stating they are our passwords.
The only one of us that has requested & used a password from the Club to purchase tickets is yours truly.
And the passcode quoted for me is NOT the one I successfully use .
So, it appears that every Red Card holder, or whatever the club now calls them, has been allocated a password whether they want one/not or already have one in use.
Not sure if that helps to clarify things but should we be concerned ?
0 -
Has anyone made an official complaint?
Could be worth it just in case0 -
Blimey. What a shambles. It would seem their customer database is still wildly inaccurate, full of duplicate and transposed information. The fact that they have deliberately composed an email containing usernames and passwords shows that they have absolutely no clue about data protection. Even if the info was correct, sending out that sort of detail in an unsolicited marketing email is a breach of data protection regulations - somebody needs to report this. Its not the first time they've included personal info in marketing emails that were sent to the wrong people. They really need to be slapped (hard!) and put straight over their cavalier and incompetent handling of their customer's personal info.1
-
I've had two emails with two different user names and passwords. Very odd.1
-
If anyone gets mine can they log in for me and close my account. Staprix Charlton3
-
Huge data breach. And has to be dealt with very promptly, a hackers dream.. one password can do alot of damage.
The Club that keeps on giving.1 -
Forward it unedited to me and I'll sort it out for you...Addickted2TheReds said:I've had one.
It's addressed to me but I'm not happy that it has my password, that I use for almost everything, written in plain text.
That is a big no no and asking for disaster.
3 -
Damn you, Royal Mail...killerandflash said:Interesting
The ticket system is a mess of usernames, but I usually log in with my email address, and the auto generated password the club sent me
I've just got the email, which has my CON number and a different system generated password.
Both work and take me to my account4 -
I have sent an an email to the ticket office query address complaining.
I will see if I get a reply.0 -
Sponsored links:
-
I didn't get any emails!
Anyone had an offer of free tickets for their birthday though?0 -
Username:rikofold said:
Forward it unedited to me and I'll sort it out for you...Addickted2TheReds said:I've had one.
It's addressed to me but I'm not happy that it has my password, that I use for almost everything, written in plain text.
That is a big no no and asking for disaster.
A2TR
Password:
R1ch1sATw@t10 -
Considering there were tweets directed at the account, and retweeted with a few frustrated comments, I wouldn't hold your breath.Alwaysneil said:I have sent an an email to the ticket office query address complaining.
I will see if I get a reply.
The media team were active posting about other things too. Pretty disappointed that not only did they not acknowledge the issue... But they continued sending the emails out!
Free tickets for your birthday?!Athletico Charlton said:I didn't get any emails!
Anyone had an offer of free tickets for their birthday though?
FFS, I'll be having words with my mum about the fact I was born in July during the middle of the summer break.1 -
I'd think the whole thing was automated and scheduled, plus staff involved will have gone home around the time the complaints started.0
-
This is surely worthy of a complaint to the Information Commissioners Office.
I haven't received an email but is there anyone on here that received one, who knows about data protection, who is prepared to put a complaint in?
Edit: On their own behalf and that of other fans.5 -
The first thing the ICO will do is ask if you have raised it with the organisation and received a full and final reply. If yes to both and you are not satisfied then complete and return this form:Davo55 said:This is surely worthy of a complaint to the Information Commissioners Office.
I haven't received an email but is there anyone on here that received one, who knows about data protection, who is prepared to put a complaint in?
Edit: On their own behalf and that of other fans.
https://ico.org.uk/media/report-a-concern/forms/1523/information-handling-form.pdf
2 -
I think if you tried harder you could squeeze a little more jargon in there LR...LuckyReds said:
That's what's confusing me, and makes me think someone has buggered up integrating a mass mailing service. I presume the CMS (which the media team apparently hate) doesn't support mass mailing, but it's essential to the marketing department at CAFC - so they've got some form of integration going on.SDAddick said:
But how have they gotten it both spouting off random emails and including UN/PWD in them? And since when do you include BOTH a UN and PWD in an email? Surely you segregate them.LuckyReds said:This explains some of my dismay at the fact the emails contain passwords - http://plaintextoffenders.com/about/ - without even beginning to question how the hell they're being sent to the wrong email addresses.
I'm wondering if someones messed up tying in some mail service to the site?
And yeah the plain text storage of UN/PWD...I mean I get it, they don't think it matters but we're seeing time and again that in the internet of things era you have to secure and salt everything. Sigh.
Purely speculation, but this is what I'd kinda expect if there was an issue with an integration. If it was somehow it's pulling in account details from the DB in the CMS... but of course, the ID's don't match in both the systems. So the email address belonging to #123 in the marketing app, is retrieving the UN/PWD belonging to #123 in the CMS: which is totes different. Once again, pure speculation.
The plain-text UN/PWD is a real bugger though, even if the UN is simply a 6 digit number - I'm sure when you log in you'll find more information. Potentially even email addresses which share the same password and.. woila; you've got their emails you've probably got everything.
(I genuinely have not got a clue what on earth you are talking about)
7 -
I've had 3 - 2 to me and one to my son. I don't recognise passwords or user IDs on any.0
-
Thanks Bobbobmunro said:
The first thing the ICO will do is ask if you have raised it with the organisation and received a full and final reply. If yes to both and you are not satisfied then complete and return this form:Davo55 said:This is surely worthy of a complaint to the Information Commissioners Office.
I haven't received an email but is there anyone on here that received one, who knows about data protection, who is prepared to put a complaint in?
Edit: On their own behalf and that of other fans.
https://ico.org.uk/media/report-a-concern/forms/1523/information-handling-form.pdf
@Alwaysneil - if the club don't respond satisfactorily, maybe something to follow up with?0 -
They clearly haven't got a clue how to manage their data. I really don't trust them.Athletico Charlton said:I didn't get any emails!
Anyone had an offer of free tickets for their birthday though?
I always tick any "don't contact me" box, and never had any marketing emails from the club, but after they emailed about the netting farrago they then sent me a mail trying to sell me carvery tickets for Father's Day. I sent them a sharply-worded response telling them to take me off their marketing lists and to let me know they had done this; no response came, but nothing has come since (including this balls-up).2 -
Sponsored links:
-
my response from the ticket office
'We have emailed a unique email that included your username and password in order for you to log into your online account. We have noticed that many Charlton fans have created duplicate accounts as they did not know their online log in details.
Please be aware that only accounts set up to your email address would receive these log in details.
If you have any other questions please feel free to contact me.'2 -
So why would they get the names wrong and send multiple different emails?rina said:my response from the ticket office
'We have emailed a unique email that included your username and password in order for you to log into your online account. We have noticed that many Charlton fans have created duplicate accounts as they did not know their online log in details.
Please be aware that only accounts set up to your email address would receive these log in details.
If you have any other questions please feel free to contact me.'2 -
rina said:
my response from the ticket office
'We have emailed a unique email that included your username and password in order for you to log into your online account. We have noticed that many Charlton fans have created duplicate accounts as they did not know their online log in details.
Please be aware that only accounts set up to your email address would receive these log in details.
If you have any other questions please feel free to contact me.'
The reason many Charlton fans have duplicate accounts is because their online ticketing system is iredeemably shite. I tried to buy two tickets to a game online. It didn't recognise my password. It refused to send me an email when I requested a password reminder. I finally had to set up a new account using a different email address. I'm sure I'm not the only one that's had to put up with this runaround.
I suspect I didn't receive this particular marketing email because I set up the password on this new account as 'rolandblowsgoats'10 -
and none of it answers the questions I asked about why they are storing and transmitting my password in plain text0
-
To be fair, if it has YOUR username and password in it then you're one step ahead of the rest.Alwaysneil said:I have only got one email, to the email address I registered recently to buy a Bolton ticket.
Like many others I was amazed it had my username and password in it together.
Ridiculous.5 -
Ok, so that would be a major step forward: apparently the credentials are correct for the user who received them. If that's true then, why the hell are people receiving emails to incorrect names?rina said:my response from the ticket office
'We have emailed a unique email that included your username and password in order for you to log into your online account. We have noticed that many Charlton fans have created duplicate accounts as they did not know their online log in details.
Please be aware that only accounts set up to your email address would receive these log in details.
If you have any other questions please feel free to contact me.'
It does suggest a peculiarity with their system though, why can you register multiple accounts to one email address anyway?
In short, I suspect there's a little bit of a bullshit going on here - combined with a horrendous pile of shit that's storing our data.4 -
Further to my previous post - it would appear from the response from the club that you've tried (Yes) and are not satisfied (Yes).
Data Controller details
Registration Number: Z6640867
Date Registered: 15 April 2002 Registration Expires: 14 April 2017
Data Controller: CHARLTON ATHLETIC FOOTBALL COMPANY LIMITED5 -
Rather sadly I enjoy speculating on stuff like this a bit too much.Algarveaddick said:
I think if you tried harder you could squeeze a little more jargon in there LR...LuckyReds said:
That's what's confusing me, and makes me think someone has buggered up integrating a mass mailing service. I presume the CMS (which the media team apparently hate) doesn't support mass mailing, but it's essential to the marketing department at CAFC - so they've got some form of integration going on.SDAddick said:
But how have they gotten it both spouting off random emails and including UN/PWD in them? And since when do you include BOTH a UN and PWD in an email? Surely you segregate them.LuckyReds said:This explains some of my dismay at the fact the emails contain passwords - http://plaintextoffenders.com/about/ - without even beginning to question how the hell they're being sent to the wrong email addresses.
I'm wondering if someones messed up tying in some mail service to the site?
And yeah the plain text storage of UN/PWD...I mean I get it, they don't think it matters but we're seeing time and again that in the internet of things era you have to secure and salt everything. Sigh.
Purely speculation, but this is what I'd kinda expect if there was an issue with an integration. If it was somehow it's pulling in account details from the DB in the CMS... but of course, the ID's don't match in both the systems. So the email address belonging to #123 in the marketing app, is retrieving the UN/PWD belonging to #123 in the CMS: which is totes different. Once again, pure speculation.
The plain-text UN/PWD is a real bugger though, even if the UN is simply a 6 digit number - I'm sure when you log in you'll find more information. Potentially even email addresses which share the same password and.. woila; you've got their emails you've probably got everything.
(I genuinely have not got a clue what on earth you are talking about)
The non-technical explanation would be "it's fucked", whilst a slightly more in-depth one would be this analogy:A database generally has a unique way of identifying a particular record of data, most often a number. Like CharltonLife seems to think I'm "4773". To all intents and purposes this number is like a name.
My analogy sucks, and the club are now claiming they sent the correct username and passwords. However they haven't said this publicly, and it doesn't explain the incorrect names that were in the emails either.
Now imagine I met up with you in a pub, and I bought a work colleague with me. When you refer to me as "LuckyReds" he doesn't have a clue who you're on about, whilst when he refers to me as "Insufferable Asshole" you don't know who he's talking about either! You do know an insufferable asshole though, so you presume he's actually talking about your friend instead.
My colleague then says to you, "Oh, have you got Insufferable Asshole's number?" - so you give him the number for your friend and not me.
In that analogy you're both databases that have different ways of identifying me, so when you try and talk about me you end up talking about different people - and ultimately you give him the wrong info. So if my speculation was correct, the email app asks for someone identified by "123" (actually called "James") whilst the ticket app responds with "Oh, 123? Yeah that's David.. here's his username and password!".1 -
I am not a number!
edit: ok well I am a bit - as in 1947.
I received 2 e-mails from the club with two different passwords and numbers
presumably from previous ticket applications.1 -
I'm feeling a bit left out. I have not had an email even with the wrong name. I am beginning to wonder if I have been banned after carrying a black and white umbrella at one of the protests.4
