Heart Internet spreads the love passwords
Print storyHosting firm suffers security aneurysm
Posted in Telecoms, 24th June 2008 11:10 GMT
See what The Register's experts have to say on application security
Web hosting outfit Heart Internet has caused security-conscious customers to skip a beat by sending them a handy text file email attachment containing other people's new passwords.
Last week Heart Internet decided to reset a bunch of FTP and eXtend passwords that had not been changed by their account owners for "an extended period".
Its explanatory email said: "Attached to this email is a file list showing all domain names which have had their password changed. The new password is shown next to the domain name." Thing is, the .csv file attached contained not only a list of all the domains affected, but also every new password.
It's unclear how many customers have been affected by the blunder, as Heart Internet has been somewhat shy about discussing it.
According to one Reg reader who asked to remain anonymous, Heart Internet re-sent the email about one hour later, this time with only his new password in the attachment. Stable doors and horses seem apposite.
Nottingham-based Heart Internet was founded by Jonathan Brealey and Tim Beresford, who also set up and flogged major UK hosting players WebFusion and 123-Reg.
The firm's bosses have not returned any of half a dozen calls from El Reg. We can't imagine why. ®
See what The Register's experts have to say on application security
Can Outsiders Enhance Exchange?
The future of SaaS and IT infrastructure management
Airport insecurity: the case of lost laptops
Reducing messaging and web security costs with managed services
Win a Samsung C6625!
Is your cameraphone an oxymoron?
Reg Mobile and Wireless newsletter is go! go! go!
Sign up, sign up for The Register IT security newsletter