Forgot your password?
typodupeerror
Privacy Your Rights Online

ISP Emails Customer Database To Thousands 259

Posted by samzenpus
from the give-me-a-list dept.
Barence writes "British ISP Demon Internet has mistakenly sent out a spreadsheet containing the personal details of more than 3,600 customers with one of its new ebills. The spreadsheet contains email addresses, telephone numbers and what appears to be usernames and passwords for the ebilling system. It was attached to an email explaining how to use the new system. Police forces and NHS trusts are among the email addresses listed in the database. A spokesman for Demon Internet confirmed that the company "was aware this happened this morning"."
This discussion has been archived. No new comments can be posted.

ISP Mistakenly Emails Customer Database To Thousands

Comments Filter:
  • Demon Internet Yesman: Christ! We're getting murdered out there!
    Demon Internet CEO: Okay, okay, calm down. We've got a little issue on our hands here and we kinda need to sweep this little thing under the carpet. Now, you're not getting paid six figures to agree with me, what have you got?
    Demon Internet Yesman: I've drafted an e-mail that explains to our customers that for Halloween we decided to be evil -- after all, we are Demon Internet? Huh? Huh?
    Demon Internet CEO: Not bad, not bad ... if it was fucking October! And we're dealing with internet users here, not AOL USERS! Jesus, has anyone else got something better?
    Demon Internet Yesman: I've got it! We tell them that we're trying to be transparent and an "open information" company because information wants to be free and so we sent everyone everyone's log on and contact information so they can ...
    Demon Internet CEO: Did you just personify the noun 'information'? That's the stupidest fucking thing I've ever heard. Who are you? Pack your shit, you're fired. Next.
    Demon Internet Yeswoman: *tentatively raises her had* Well, we could tell them that we suspected one of them was an evil dirty file sharer ...
    Demon Internet CEO: ... I'm listening ...
    Demon Internet Yeswoman: ... and now that the evil person tried to do something evil with that data, we have caught them and they are safely behind bars but if you're receiving this message you are not evil so you have nothing to worry about and only good people have your information.
    Demon Internet CEO: *nods slowly and approvingly* Yes, yes, that's good. We are law enforcers, we are providers, in their eyes we have done only good and now they fear and respect us and think they have escaped the sickle of justice. I like it. Sally, you're off of blow job duty. Frank, you're on blow job duty -- it's simple: my office every weekday at noon. Sally, I knew that equal opportunity employment shit that made me hire you was on to something. Okay folks, listen up, I want everyone in Great Britain to open their mouths 'cause I'm about to put my big fat cock in it.
    • by Reason58 (775044) on Wednesday September 23, 2009 @05:23PM (#29523023)
      Demon's going to have hell to pay.
      • by moon3 (1530265) on Wednesday September 23, 2009 @05:32PM (#29523137)
        If they follow evil corporation best practices manual -- they obviously do so, then I doubt that.
        • I wonder... (Score:2, Informative)

          by BrokenHalo (565198)
          I wonder how rare this situation actually is. The same thing happened to me in about 1998 when I was a customer of Q-net, which later got absorbed by Eftel [eftel.com]. Some certifiable cretin emailed out the ISP's entire customer contact list to every one of its customers. The managing director of Q-Net was a total creep, and rather than admitting responsibility and eating crow, his letter of "apology" was more of an exhortation to customers to secure their passwords. Needless to say, I was unamused, and changed ISPs
    • by keytoe (91531) on Wednesday September 23, 2009 @05:41PM (#29523279) Homepage
      Demon Internet Yesman 2: Uh, um .... SPLUNGE!
      Demon Internet CEO: What does splunge mean?
      Demon Internet Yesman 2: It means it's a great idea, but possibly not, and I'm not being indecisive!
      Demon Internet CEO: GOOD!
    • Re: (Score:2, Funny)

      Six months later, the Demon Internet CEO is replaced with the Fluffy Bunny CEO, after a sexual harassment lawsuit is filed by half of the board of directors. Fluffy Bunny commits to network neutrality, and cheap, high speed internet access for all. Demon Internet CEO seen a short while after the trial on the corner wearing black boy shorts and a bow tie as the newest strawberry in the unemployment line. Fluffy Bunny calls Sally into the office, makes her the new head network administrator, and she installs

      • by Reason58 (775044) on Wednesday September 23, 2009 @05:49PM (#29523359)

        Six months later, the Demon Internet CEO is replaced with the Fluffy Bunny CEO, after a sexual harassment lawsuit is filed by half of the board of directors. Fluffy Bunny commits to network neutrality, and cheap, high speed internet access for all. Demon Internet CEO seen a short while after the trial on the corner wearing black boy shorts and a bow tie as the newest strawberry in the unemployment line. Fluffy Bunny calls Sally into the office, makes her the new head network administrator, and she installs linux on everything, saving the company a fortune. And since this wouldn't be slashdot without some kind of sexual commentary -- Sally also sets up her own dungeon between several racks of blade servers, a webcam, and begins posting her payback sessions to fund some much-needed hardware upgrades. :P

        The stories are funnier when they are fictitious, Sally.

      • Great, I just got an diabetes and an erection from reading your post.

        "Too good to be true" says the empty bottle of Three Philosophers Quadruple sitting next to me.
        • Re: (Score:2, Funny)

          by Reason58 (775044)

          Great, I just got an diabetes and an erection from reading your post.

          Sounds like you need an insulin erection.

  • by cryfreedomlove (929828) on Wednesday September 23, 2009 @05:24PM (#29523039)
    Is there a good alternative ISP available to the same customers. If so, then I would expect a stampede away from Demon ISP to their competitor. There is no need for government intervention.
    • by Anonymous Coward on Wednesday September 23, 2009 @05:32PM (#29523139)

      Storing user passwords unencrypted in an excel spreadsheet should be a crime.

      Maybe it isn't. But I consider it to be a criminal level of negligence with significant public harm.

      • by icebike (68054) on Wednesday September 23, 2009 @05:42PM (#29523293)

        Having a company be able to SEE any user's password should be a crime. Standard practice is that NOBODY, not even sysadmins can see it. They can change it but not see it.

        • by sgbett (739519)

          I thought it was bad when places emailed you your own password, but this is prettty 'special'...

        • by sabernet (751826)

          That's one of the first things I thought of when reading the summary.

          What kind of jackass stores passwords in plain text on a DB? At the least: store the hash+salt, compare the input's hashe+salt. You should NEVER store the password in a retrievable manner.

          Then again, I suppose it's the same kind of jackass that doesn't do a QA run to make sure something pesky, like say, the ENTIRE client list, gets attached to your invoices.....

          Someone please ID this idiots+management and post it out for the world to see

        • by selven (1556643)
          Standard practice is that nobody knows the password - you just store the hash.
          • Re: (Score:3, Funny)

            by Dragonslicer (991472)

            Standard practice is that nobody knows the password - you just store the hash.

            Not even the user knows their own password... now that's security!

        • by dbIII (701233) on Wednesday September 23, 2009 @08:15PM (#29524347)
          If even the computer knows the password somebody has made a hash of the job :)
          It's not 1980 anymore and we have the hardware and software to make secure password handling with hashes instead of recorded passwords a very simple process, so that's the first link in this long chain of failure. That those doing the billing have access to the passwords show that there are a lot of links in this chain that should not be there.
          • Re: (Score:2, Insightful)

            by Anonymous Coward

            If even the computer knows the password somebody has made a hash of the job

            Of course you mean that if even the computer knows the password, somebody failed to make a hash of it. Good call though!

        • Having a company be able to SEE any user's password should be a crime. Standard practice is that NOBODY, not even sysadmins can see it. They can change it but not see it.

          It is now a bit naive to think that things work like this in the industry. Years ago, this was indeed the forward thinking, "engineered" best practice, and though not directly, why systems like Kerberos were originally created.

          Sadly however, with the advent of the web, SSL, LDAP, and hundreds of other possible databases to need access, most PHB types quickly bought into "identity management" schemes being pawned by multiple vendors. These schemes end up "managing" your kept password(s) into "secret stores

        • Having a company be able to SEE any user's password should be a crime. Standard practice is that NOBODY, not even sysadmins can see it. They can change it but not see it.

          That depends on who you ask. A LOT of IT organisations keep passwords around, since users just can't take their passwords seriously enough. With company data (or any other data really) encrypted using passwords/keys, it's not simply a matter of resetting the password and continuing as if nothing had happened.

    • by Hatta (162192) *

      That's all well and good until the ISP everyone flocks to has a data breech.

    • by Penguinisto (415985) on Wednesday September 23, 2009 @05:40PM (#29523257) Journal

      Their biggest competitor is BT [bt.co.uk] ... Not quite seeing a stampede happening in that direction.

      There's always Orange, I guess...

      (...and to think that I bitch about Comcast...)

      /P

      • If there is no stampede then maybe the customers don't care about the breach enough to jump. They are making a voluntary decision to stay.
        • A voluntary decision to stick with a reliable ISP. Seriously, most ISP's in England are terrible. I know people using various ones, and the only I NEVER hear complaints about is Demon.

          So, do you want privacy or reliability? You only get to pick one apparently.

          • by clive_p (547409) on Wednesday September 23, 2009 @06:03PM (#29523501)
            I'm amazed that you never heard complaints. I was with them for 14 years, but left a few months ago, as their service deteriorated to a level that was completely intolerable. The original company was good, but was successively taken over several times, and all the competent people left. Have a look at the Usenet newsgroup demon.service and you will find plenty of complaints...
          • by badfish99 (826052)

            I stayed with them for a few months after their takeover by Thus, until a new ISP installed ADSL+ in our exchange. In that time, the bandwidth I was getting deteriorated enormously, and their customer service changed from an engineer who understood "I can see your pings hitting my firewall" to a call centre worker in India who could only say "reinstall windows". And after I left, they forgot to remove me from their billing system, so they kept sending me letters threatening court action and bailiffs.

            That mu

        • Being generous, I often allow my service providers one mistake. They never get a third.
    • by MrBandersnatch (544818) on Wednesday September 23, 2009 @06:09PM (#29523539)

      Demon, once upon a time at least, was a VERY good ISP (ex-customer and I don't recall leaving them due to dis-satisfaction, I think it was the move to ADSL which prompted the switch).

      Anyways, http://forums.thinkbroadband.com/ [thinkbroadband.com] is a good place to get real user feedback on ISPs. Somewhat strangely there are 666 new posts for Demon (I kid you not). I personally am unable to recommend any ISP though. Clara.net shafted me for £100 years ago when their channel bonded ISDN service just wouldn't work for me so I'd recommend you avoid them like the plague; Nildram used to be GREAT but apparently have been taken over by talktalk and users don't look happy; and personally I'm currently stuck with Virgin who routinely cause my blood pressure to rise but because they offer the best speeds blah blah blah.

      On the business side I'll say that NewNet and Spitfire have done what they say on the packet overall.......

      Anyways, yes, if someone finds a decent ISP let us know please.

      • by Anonymous Brave Guy (457657) on Wednesday September 23, 2009 @06:35PM (#29523751)

        Anyways, yes, if someone finds a decent ISP let us know please.

        I've been with Zen's ADSL service for a couple of years now, since moving house. Give or take rare small glitches (and even then, they've had fewer of those than anyone else I've used) their service has always been fast and reliable. They don't have 24/7 tech support available, which did worry me to start with, but since I've never needed to call tech support once the service was set up that no longer bothers me. It does cost significantly more than the cheap providers as well, but I guess you get what you pay for. YMMV, caveat emptor, etc., but I'd sign up with them again.

    • Demon used to be the best British ISP, but they got too big and were bought out and are now owned by Thus PLC (nee Scottish Telecom) which is a clueless PHB, marketeer run POS.

      The problem in the UK, unlike Switzerland, I operate in both, is that the UK only has copper local (last mile) loop. Here we have fiber and copper 'im haus' which means that ISPs can form Internet+TV+Phone at reasonable price. Off peak I see 100mB down + 10 gB up with DTV and phone. Reliability is excellent.

      I use Cablecom (CH) and Tis
    • Re: (Score:3, Informative)

      by digitig (1056110)
      There are a lot of ISPs available in the UK, so there's plenty of choice [thinkbroadband.com] for fleeing customers.
  • So what? (Score:5, Funny)

    by should_be_linear (779431) on Wednesday September 23, 2009 @05:24PM (#29523045)
    Security through obscurity never helped anyone.
    • by TheSpoom (715771) *

      More importantly, hasn't this company ever heard of password hashing?

    • by Virak (897071)

      I know this is a joke, but it should really be modded insightful instead. This just reveals the already-existing incredible insecurity of their setup. If they were doing it right, the file would only have hashes, or preferably, hashes and salts. It would certainly still not be good to have it leaked, but the results of that happening would be significantly less serious. Instead, we have this.

  • One more reason... (Score:3, Insightful)

    by popo (107611) on Wednesday September 23, 2009 @05:26PM (#29523063) Homepage

    ... that privacy 'policies' don't mean squat...

  • by Monkeedude1212 (1560403) on Wednesday September 23, 2009 @05:30PM (#29523105) Journal

    10 Bucks says it comes down to a cat on the keyboard.

  • by danlip (737336) on Wednesday September 23, 2009 @05:32PM (#29523133)

    I can't believe this still happens. They shouldn't even be storing the passwords anywhere, even in their primary database, much less an Excel spreadsheet. Use a one was hash with salt, folks!

    Also "the company introduced a different ebilling system some months ago, but returned to paper billing following technical difficulties". Who hasn't managed to implement an ebilling system by 2009? Especially an ISP. They must be truly incompetent.

    • Ummm. Where I work spreadsheets are called "databases". I get stupider things in my email every morning at work than the email described here.

      And incidently, since POP and SMTP were switched off to force us to use outlook the number of misdirected emails has gone through the roof. Humans search by first name but Outhouse searches by last name. I have a common last name... And so does a certain senior manager.

      • Re: (Score:2, Informative)

        by danlip (737336)

        Ummm. Where I work spreadsheets are called "databases".

        But surely you don't have an ebilling login system trying to look up passwords in an excel spreadsheet? Or even an MS Access database? Although maybe Demon Internet does, given their extreme lack of clue.

        (and spreadsheets aren't databases, you can't write SQL queries against them)

        • by MichaelSmith (789609) on Wednesday September 23, 2009 @06:33PM (#29523741) Homepage Journal

          (and spreadsheets aren't databases, you can't write SQL queries against them)

          I know. Where I work they would probably employ an intern to copy and paste passwords between the database and the spreadsheet because the database in complicated while everybody understands excel. SQL has been pretty much replaced by the scripting and macro languages supported by excel anyway.

        • (and spreadsheets aren't databases, you can't write SQL queries against them)

          You realize there's been ODBC and JDBC drivers for Excel spreadsheets for many years now, right?

        • by casings (257363)

          Understanding SQL isn't a requirement to be considered a database.

          In fact, spreadsheets are databases. Wikipedia refers to these as end-user [wikipedia.org] databases.

          You are confusing the term database with an RDBMS or Relational Database Management System (and even that doesn't necessarily depend on the use of SQL).

    • by mortonda (5175) on Wednesday September 23, 2009 @07:07PM (#29523953)

      I can't believe this still happens. They shouldn't even be storing the passwords anywhere, even in their primary database, much less an Excel spreadsheet. Use a one was hash with salt, folks!

      While having it in an excel document is unexusable, there is a real reason why password are stored as plain text, and I hated it as a sysadmin. Look up CHAP vs PAP authentication... Basically, PAP sends the password in plain text across the wire from the modem server to the radius server, which can then look up the salt, hash it, and then verify the password.

      However, since this means sending passwords in the clear, most modem concentrators (most ISP's resell for a handful of large telcos that operate the modems nowdays) prefer to use CHAP, which hashes the password with something at the terminal server and sends both to the radius server. In order for the radius server to authenticate the session, it must have access to the original plain text to hash with the provided salt. Thus, the ISP must store all passwords in plaintext somewhere.

      That said, it should be stored in a hardened and dedicated server that only handles the storage (sql or ldap) and the radius server. Any billing interaction should only be to update the password, never to read. And it should never be put into a excel or word doc!

    • by AHuxley (892839)
      When MI6,5 the met or some task force calls, do they really what to call the white hat in from his/her home/holiday?
      They want a junior staff member with clearance to look up and IP and get that name. Why burn out your only real admin when its just reading a warrant, looking up time, ip and filling in the needed info.
      Young admins in the UK only know MS.
      if they had skills, they would be working in the real world.
  • by innocent_white_lamb (151825) on Wednesday September 23, 2009 @05:32PM (#29523135)

    I run a movie theatre and send and receive a lot of freight (film cans and advertising materials) by bus. I have an account with the provincial bus company so they send me a bill once per month containing all of the waybills for that month.
     
    This story goes back several years, as you will see.
     
    Originally, I got a monthly bill that consisted of a strip of adding machine paper stapled to an invoice that totalled up my waybills for the month. Then the bus company decided to modernize and send out bills printed by computer, which were apparently aggregated by having a computer in each bus depot send in each days transactions by modem to a central computer that printed the monthly bills.
     
    For the next year and a half, I got bills for anywhere from $10 to $30/month, nowhere near the $600-plus that I usually spent on bus freight.
     
    18 months later I got a (manually generated) bill for $13,000.
     
    The bus company has since stayed with manually generated bills and has never tried to computerize that part of their operation again.

    • You did end up paying the bill, right?

    • by geekoid (135745)

      Tge moral of the story is:

      When sonmeone implements a crappy system , it can effect that company and customers for years afterwords.

      Really, there is no reason not to modernize this shit.

    • by mpe (36238)
      run a movie theatre and send and receive a lot of freight (film cans and advertising materials) by bus. I have an account with the provincial bus company so they send me a bill once per month containing all of the waybills for that month. This story goes back several years, as you will see.
      Originally, I got a monthly bill that consisted of a strip of adding machine paper stapled to an invoice that totalled up my waybills for the month. Then the bus company decided to modernize and send out bills printed
  • by PipingSnail (1112161) on Wednesday September 23, 2009 @05:33PM (#29523149)
    Demon wanted all customers to take up eBilling several years ago. You had to opt out of eBilling. I opted out because I wanted a printed invoice to give to the accountants and because I thought sooner or later so cockup like this would happen. My choice has been vindicated. And no, I won't be looking for another vendor. Demon are more expensive than other vendors, but other than the eBilling foulup, they are generally good and no bandwidth restrictions or upper limits at all. And that is what I want.
    • Re: (Score:2, Interesting)

      by VisualD (1144679)
      Im assuming your on one of the business rates? I ask because I'm on HomeOffice 2+ (have been with demon for a good 8 years now) and have a cap of 60GB per rolling 30 day period. I've been capped to 128kbps twice now, so I rang for my mac code thinking I might try Be, and they offered me Demon Business 2+ Pro for £30 a month, which apparently is a no limits service. Would be nice to get your impressions of the service before committing to a 12 month contract, if you have the time :) BTW, I also
  • by olsmeister (1488789) on Wednesday September 23, 2009 @05:33PM (#29523151)
    Hard to believe that anyone in that type of position working for an ISP could be so careless. If anyone should know better, they should.
    I'd be curious to know if the passwords that were lost are ISP-assigned gibberish passwords, or user selected ones.
    If they are passwords selected by the users, look out. Too many people use the same passwords for many or all of their accounts.
    • Re: (Score:2, Interesting)

      by ZekoMal (1404259)
      Apparently you've never worked at an office. A bulk of computer complaints at such corporations tends to be from a combination of boredom and stupidity. Frankly, it's amazing that the entire world hasn't collapsed given the sheer number of "why can't I watch porn on our secure network??!!!11!!" type of inquiries; now imagine the same average cubicle corp running your internet.
    • Really! (Score:4, Interesting)

      by joggle (594025) on Wednesday September 23, 2009 @06:53PM (#29523863) Homepage Journal

      This reminds me of when I was hired to do some maintenance on a small fantasy racing team website. The website seemed pretty well implemented and the database seemed reasonable. I then took a look at the account info table and was horrified to find that everything was stored in plain text, passwords, real names, user names, CC numbers, addresses, etc. I'm not exactly a database/web guru, but come on! How hard is it to use md5() to store passwords?? And I don't like the idea of some random guy (me in this case) being entrusted with everyone's credit info. There has to be a better way.

      I learned my lesson though. I will never pass my credit info to a small-time website. To think that a fairly large ISP would be this stupid in the year 2009 is mind boggling.

      • Re: (Score:3, Insightful)

        by Kalriath (849904) *

        Credit Card info? That's a violation of PCI DSS right there along the lines of the great Web Hosting Talk fuck-up of last year. You can be fined millions for that.

        • PCI DSS isn't a law, it's a set of standards that the card industry wants you to follow if you're going to handle credit cards. There are no fines, you just lose your right to do CC business if you can't pass the audit. And the audits aren't perfect.

    • I'll call The Goat, LLC.

      You see, when a company fucks up, they call us at The Goat and we send them a person. Said person "works" there and takes all the blame and gets fired. The company looks good and we make money.

      Legal fuck ups cost $100,000 for the goat plus our markup of 100% for a total of $200,000. The $100,000 for the goat allows him to live for a while until the public forgets about him. Goats for white collar illegal activities will run on a sliding scale. But let's say you have another Enron t

    • Someone had better lose their job.

      Why? And who, exactly?

      Hard to believe that anyone in that type of position working for an ISP could be so careless. If anyone should know better, they should.

      It's probably less a case of knowing better, and more a case of clicking on the wrong file (something like "attach User-list.xls, mailmerge against User-list.xls" instead of "attach User-instructions.doc, mailmerge against User-list.xls"). Knowing that all of us organic beings are subject to error, is a single incident like this something to fire someone over? Or are you saying to fire whichever programmer or spec writer or system architect didn't think to build a mass-mail function in

    • I use one password for all of my accounts. It opens my Keepass [keepass.info] store.

      It's not a simple password.
  • Looking forward (Score:5, Interesting)

    by vrmlguy (120854) <samwyse@NoSpAm.gmail.com> on Wednesday September 23, 2009 @05:48PM (#29523353) Homepage Journal

    I think that we should start putting ficticious information (something blob-like, like a customer name) into sensitive databases that matches one or more virus signatures. This would cause email filters to block the content before it leaves the premises. (Yes, I realize that we'd need to be filtering out-going mail, but unless you're a spam generator, that's a small fractgion of your incoming email. Some of use are already doing this, although not for this reason.)

    • by dissy (172727)

      That is going to be _awesome_ once the local antivirus program deletes it off a system with stale exception lists :D

    • X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
  • just choose recall this message from the actions menu and the damage will be undone.
  • My very first email address was on a ...demon.co.uk host, back in the early 1990s.

  • Another reason... (Score:3, Informative)

    by SlashDev (627697) on Wednesday September 23, 2009 @06:12PM (#29523561) Homepage
    ... why emails originating from ISPs, should be audited first then approved / denied.

    • [window pop up] "Are you sure you want to send this?"
      [countdown timer on OK button] 5...4...3...2...1...
      [user clicks OK prematurely]
      [window pop up] "NO! Penalty timeout!"
      [countdown timer on OK button] 39...38...37...36...
  • by w0mprat (1317953) on Wednesday September 23, 2009 @06:20PM (#29523635)
    I ROFLd very hard at this. Now who hasn't heard of something like this happening or been in a work place where this has happend? Of all the security measures companies fret over these days they fail to recognise the threat of abject stupidity.

    Yes some asshat will accidentally forward whatever. How this occurs is demonstrated by my example below (I witnessed this, details altered). I've see co-workers make this mistake, and I've been a customer when the same fault happend and I got sent a 700kb spreadsheet of confidental information. But anyway, here is the two step method to epic fail:

    Step 1: Email staff with a template for them to send, and attach a spreadsheet of the customers

    -----Original Message-----
    From: Bob Smart [mailto: Bob.Smart@[-------].co.--]
    Sent: Thursday, 23 September 2008 10:53
    To: [-------] Outbound Contact Team
    Subject: FW: eBill template


    Hi Team,

    Please send this template below to all customers in the attached spreadsheet. You three can divide the work amongst yourselves.

    >

    Dear customer-name-here,

    [etc..]

    .....

    Step 2: Your keyboard jockeys forward the email, deletes the header and Boss's message. Inserts customer details into template. Send, Boom, Done.

    By default, forwarding in pretty much all mail applications keeps the attachment.

    I'm sure this is the principal way documents are leaked from just about any organisation.

    • by Ronald Dumsfeld (723277) on Wednesday September 23, 2009 @06:39PM (#29523775)

      I ROFLd very hard at this. Now who hasn't heard of something like this happening or been in a work place where this has happend? Of all the security measures companies fret over these days they fail to recognise the threat of abject stupidity.

      Many moons ago, I was told a tale about sending out mass mailings, not this "slip of the mouse" email stuff.

      The bank's marketing and finance guys have come up with this glossy brochure of stuff for their top customers, based on something like highest 5% balance holders. There's a letter drafted to accompany the brochure, it just remains to do the little personalising touches for the final run.

      Someone forgets to replace the output placeholder with the salutation generation program that'll even spew out "Dear Sir Whimsey-Porpoise".

      The final letters are printed, enveloped, and mailed. The salutation from the placeholder piece of code? "Dear Rich Bastard,".

      • by Kalriath (849904) *

        That's old. And it's probably an urban legend, as it's usually a charity emailing or sending letters to their biggest donors.

        • by 7 digits (986730) on Wednesday September 23, 2009 @07:26PM (#29524089)

          Snopes [snopes.com] says it is true.

          I also like the idea of Wells Fargo sending this to customers:

          You owe your soul to the company store. Why not owe your home to Wells Fargo? An equity advantage loan can help you spend what would have been your children's inheritance.

          • Re: (Score:3, Funny)

            by Kalriath (849904) *

            I actually prefer this bit:

            An interesting element not generally related as part of this story just goes to prove you can never please everyone: The little UK firm responsible for the gaffe received a complaint from a potential customer who felt himself qualified to be a rich bastard yet had not received the letter he deemed appropriate to his station in life.

      • by symbolic (11752)

        Many moons ago I used to work in the credit industry. On the evening shift things would get kind of slow, so we'd find ways to keep ourselves occupied. One such activity was doing lookups on names you know couldn't exist - and it was damn funny when they actually did. I could just see typing in the name "Bastard" and seeing a response, "Bastard, Richard M. .... "

  • by algae (2196) on Wednesday September 23, 2009 @06:48PM (#29523825)
    The real WTF is that all those passwords were in the clear. What the hell business does anyone have these days, doing anything more than storing a one-way hash?
    • Re: (Score:3, Funny)

      by w0mprat (1317953)
      Huh? My is password cleartext it's always ******** no matter what I type, so insecure!
    • by mortonda (5175)

      Yes, really. It's called CHAP authentication, and it requires plain text passwords. see my other post [slashdot.org]

    • by chiark (36404)
      Customer: Hi, I'm having troubles with ebilling
      Demon: OK, let's see if we can help. I just need to take you through security. Can you give me your username
      Customer: customer1
      Demon: And, without revealing your full password, characters 3 and 5 of... the MD5 hash of your password?
      Customer: WTF?
      Demon: sorry, that's not right.

      In the case where you want to use the same password to authenticate across multiple channels, and use human interaction, storing plain passwords (with appropriate control) is u

  • by Anonymous Coward

    I realize most people don't use negabases or other things that would prevent marketing twats from getting their filthy grubby hands on information--but why was there a password field even available to anybody to start with?

    Four years ago I inherited an application with plaintext passwords. Yes, it took me *two years* to fix it because of other even worse problems--but it was fixed in the end (SHA1, salted per user in the front and tail).

    Our support team bitched and moaned that they could no longer troubles

  • by Fredde87 (946371) on Wednesday September 23, 2009 @06:58PM (#29523889)
    I would love to see Demon crash and burn. The most horrible company to deal with. We run a lot of our customers email and domains. We used to buy the domains through demon, then one month they forgot to send us a renewal bill for one of our many domains. Instead of calling us or emailing us like a normal company to check why we hadn't paid they decided to suspend all of our domains for this one outstanding bill. We finally got the missing bill in the post a few days later, dated the same day that they suspended all of our accounts. Then the same things happened a second time a few weeks later. Obviously after the first time we asked them to double check that there where no more outstanding bills we hadn't received and they assured us that we were all up to date. Turned out they missed one of our accounts when they checked. Awful company to deal with in general, any DNS changes to a domain has to be done via fax on a letter with the company's header. Seriously? A large ISP like Demon cant make DNS changes over the phone/email or even have a management site online where the customer can change this? Of course they refused to give us our AuthInfo codes when we requested them. They said we could not get them for 6 months as we had just bought the domains. Turned out that when they "suspended" our domains they actually just canceled all of them and then put them through as a new orders to reactivate them. Finally got the AuthInfo code but had to put through the cancellation first which was scary to do as I had a feeling they were just going to cancel it and give us the AuthInfo code at the same time as they remove all our DNS records from their NS server. Luckily the move went through smoothly. Now with Zen and 1&1 which in comparison are top notch. All of this for a stupid outstanding amount of £12 renewal fee for 1 domain. Our customers ended up having 3 days of no emails or web services. Thank you and goodbye Demon!
    • any DNS changes to a domain has to be done via fax on a letter with the company's header.

      While I can understand that this is a royal pain in the Ass, it's also a fairly good procedure. Faxes have the sending phone number on them usually, which is a decent validation component. The letterhead is another decent step, assuming they compare it to something on file. I don't think you want people changing your routing just based on a phone call without more identification somehow. These are exactly the steps

  • by freedom_india (780002) on Wednesday September 23, 2009 @07:01PM (#29523913) Homepage Journal

    ...when a corporate is involved it always is a MISTAKE.
    When an individual hacker exposes weak security, he is a terrorist.
    Wow!
    Talk about double standards.
    Why can't the corporate be sued on SAME grounds like hackers?

"Out of register space (ugh)" -- vi

Working...