My sister told me she had problems recovering her password. The page said “email address not registered” when she tried that but “email address in use” when she tried to create a new account. She eventually tried “Sign in with Google” (it was a Gmail address), which led to a permission page, making it seem like she was setting up a new connected service to the account. She went through with it and saw her profile page with all her details, history and credits. By the time she navigated to another page, her account had been reset to a new one with nothing but an email address… The service admins did have a backup though and restored the account.
And I remember a site that would show you your password in account details, and did not even support https… in 2011 up to fucking 2015. Gaining control of all 300,000+ accounts (not hard if the backend’s security was as strong as it seems to have been) would not have been valuable itself (users could not interact, the site was basically a quiz game with a leaderboard akin to freerice.com) but it was for children 6-18, most of whom would reuse passwords. And it was designed by CDI.cz, a major web design agency with high-profile Czech clients including the post office, a top 3 telecom, a major heath insurance provider and the national railway company…
My sister told me she had problems recovering her password. The page said “email address not registered” when she tried that but “email address in use” when she tried to create a new account. She eventually tried “Sign in with Google” (it was a Gmail address), which led to a permission page, making it seem like she was setting up a new connected service to the account. She went through with it and saw her profile page with all her details, history and credits. By the time she navigated to another page, her account had been reset to a new one with nothing but an email address… The service admins did have a backup though and restored the account.
And I remember a site that would show you your password in account details, and did not even support https… in 2011 up to fucking 2015. Gaining control of all 300,000+ accounts (not hard if the backend’s security was as strong as it seems to have been) would not have been valuable itself (users could not interact, the site was basically a quiz game with a leaderboard akin to freerice.com) but it was for children 6-18, most of whom would reuse passwords. And it was designed by CDI.cz, a major web design agency with high-profile Czech clients including the post office, a top 3 telecom, a major heath insurance provider and the national railway company…