Slashdot Mirror

← Back to Stories (view on slashdot.org)

Millions of Utility Customers' Passwords Stored In Plain Text (arstechnica.com)

Posted by BeauHD on from the plain-wrong dept.

schwit1 shares a report from Ars Technica: In September of 2018, an anonymous independent security researcher (who we'll call X) noticed that their power company's website was offering to email -- not reset! -- lost account passwords to forgetful users. Startled, X fed the online form the utility account number and the last four phone number digits it was asking for. Sure enough, a few minutes later the account password, in plain text, was sitting in X's inbox. This was frustrating and insecure, and it shouldn't have happened at all in 2018. But this turned out to be a flaw common to websites designed by the Atlanta firm SEDC. After finding SEDC's copyright notices in the footer of the local utility company's website, X began looking for more customer-facing sites designed by SEDC. X found and confirmed SEDC's footer -- and the same offer to email plain-text passwords -- in more than 80 utility company websites. Those companies service 15 million or so clients (estimated from GIS data and in some cases from PR brags on the utility sites themselves). But the real number of affected Americans could easily be several times that large: SEDC itself claims that more than 250 utility companies use its software.

4 of 81 comments (clear)

  1. So? by Anonymous Coward · · Score: 2, Informative

    How do you know your passwords are stored securely on any given website anyway? Most websites won't (and probably shouldn't) tell you how they store passwords/hashes. Even if they do tell you, should you trust them to tell the truth? The only defense is to never assume your password is stored securely and take measures (don't reuse, 2-factor, change often, etc.) accordingly.

  2. Re:Is there a list of affected utility companies? by Cmdln+Daco · · Score: 3, Informative

    I would need to have an 'online relationship' with my utility companies for this to become a problem. I practice security-through-postage-stamps.

  3. Re:I think my bank stores passwords in plain text by Time_Ngler · · Score: 3, Informative

    If they are hashing a bunch of combinations of just a few characters of the password, these characters could be easily brute forced, salted or not! After knowing these combinations, brute forcing the rest of the password would be as easy as hell

  4. Re: Is there a list of affected utility companies? by YrWrstNtmr · · Score: 3, Informative

    An example of why America needs more regulation. This doesn't happen in other western nations.

    Sweden - https://www.bbc.com/news/techn...
    Germany - https://www.theguardian.com/wo...
    France - https://techcrunch.com/2018/12...
    Spain - https://www.theinquirer.net/in...