Jump to content



Photo

Really Direct 2 Drive, Really?


  • Please log in to reply
19 replies to this topic

#1 TGT

TGT

    RK-xxx

  • 448 posts
  • Joined: 11-April 05
  • Location: Markham, Ontario

Posted 24 April 2011 - 02:30

Went to try and purchase the Battlefield Bad Company 2: Vietnam expansion that was on sale today from Direct 2 Drive. For whatever reason, they weren't able to process my order, so my friend decided to gift it to me instead. When I got the e-mail, imagine my surprise when I saw this:

Posted Image

They E-Mailed me my account password in paintext! What does this mean? My username, password and any related information to that account are all stored in a database - unencrypted. :angry:

Shocking, especially given the amount of news compromised databases this year.


#2 The_Observer

The_Observer

    Apples, Bananas, Rhinoceros!

  • 3,909 posts
  • Joined: 12-April 05
  • Location: New Zealand
  • OS: OS X 10.9
  • Phone: iPhone5s

Posted 24 April 2011 - 02:32

hahahah thats the funnest one i have seen!

#3 Alladaskill17

Alladaskill17

    Neowinian Senior

  • 5,437 posts
  • Joined: 21-July 05

Posted 24 April 2011 - 02:33

That, my friend is ridiculous. I never really checked out D2D as I was never a huge PC gamer, but is there a reason you do not use Steam? I doubt Valve would allow this type of behavior.

#4 OP TGT

TGT

    RK-xxx

  • 448 posts
  • Joined: 11-April 05
  • Location: Markham, Ontario

Posted 24 April 2011 - 02:44

That, my friend is ridiculous. I never really checked out D2D as I was never a huge PC gamer, but is there a reason you do not use Steam? I doubt Valve would allow this type of behavior.


I use and adore Steam. The expansion was on sale though, and I'm cheap (I bought BFBC2 when it was on sale through the EA store).

D2D being a store that deals with financial transactions, I had assumed that they'd be a little more responsible with my data though.

#5 +Majesticmerc

Majesticmerc

    Resident Idealist

  • 6,135 posts
  • Joined: 24-August 05
  • Location: United Kingdom
  • OS: Arch Linux / Win 7
  • Phone: HTC One X

Posted 24 April 2011 - 02:48

I would still say that the data will be encrypted, but it will be 2-way encryption, instead of doing what everyone else does and use a hash. Still, that's pretty apalling to email you your password. I have had websites do that to me as a "forgot your password" reminder, and it still makes me uneasy.

#6 OP TGT

TGT

    RK-xxx

  • 448 posts
  • Joined: 11-April 05
  • Location: Markham, Ontario

Posted 24 April 2011 - 03:25

I would still say that the data will be encrypted, but it will be 2-way encryption, instead of doing what everyone else does and use a hash. Still, that's pretty apalling to email you your password. I have had websites do that to me as a "forgot your password" reminder, and it still makes me uneasy.


Well then, maybe I've over-reacted.

However, given that the e-mail was automated, wouldn't that suggest that the pass-phrase / function used to encrypt the password would be found somewhere in the source code? If an attacker were to gain access to the database, then they could also gain access to the back-end code as well.

#7 +Majesticmerc

Majesticmerc

    Resident Idealist

  • 6,135 posts
  • Joined: 24-August 05
  • Location: United Kingdom
  • OS: Arch Linux / Win 7
  • Phone: HTC One X

Posted 24 April 2011 - 11:49

Well then, maybe I've over-reacted.

However, given that the e-mail was automated, wouldn't that suggest that the pass-phrase / function used to encrypt the password would be found somewhere in the source code? If an attacker were to gain access to the database, then they could also gain access to the back-end code as well.


Actually I don't think you did. When the email was sent, it was still sent (most likely) over an insecure path, free for anyone to intercept along the way.

#8 Tharp Daddy

Tharp Daddy

    Indeed!

  • 1,631 posts
  • Joined: 15-June 09
  • Location: Oviedo, Florida

Posted 24 April 2011 - 13:47

You should email / call about this. It may not make a difference, but still bring it to their attention.

#9 Anibal P

Anibal P

    Neowinian

  • 4,281 posts
  • Joined: 11-June 02
  • Location: Waterbury CT
  • OS: Win 8.1
  • Phone: Android

Posted 24 April 2011 - 13:49

How do you know the email was sent in plain text?

#10 Pupik

Pupik

    Neowinian Senior

  • 6,180 posts
  • Joined: 09-December 05

Posted 24 April 2011 - 14:03

Man, that's some short password you got there.

#11 OP TGT

TGT

    RK-xxx

  • 448 posts
  • Joined: 11-April 05
  • Location: Markham, Ontario

Posted 24 April 2011 - 20:14

You should email / call about this. It may not make a difference, but still bring it to their attention.


Yup, opened a support ticket with them to let them know. Hopefully they'll be able to change this behavior.

Man, that's some short password you got there.


It's actually larger than that, I just botched up while doing the redaction. (Note the white space to the right of "You") ;)

#12 Yusuf M.

Yusuf M.

  • 21,358 posts
  • Joined: 25-May 04
  • Location: Toronto, ON
  • OS: Windows 8.1 Pro
  • Phone: OnePlus One 64GB

Posted 24 April 2011 - 22:27

It's odd that they'd send you your actual password like that. I wouldn't be too worried though. A lot of services send you a randomly generated password after requesting a new password. I don't think it's any different in terms of security.

#13 Samn9

Samn9

    Neowinian

  • 560 posts
  • Joined: 30-September 05
  • Location: UK

Posted 25 April 2011 - 15:05

It's odd that they'd send you your actual password like that. I wouldn't be too worried though. A lot of services send you a randomly generated password after requesting a new password. I don't think it's any different in terms of security.

They generate the random password, send it to you in an email, then hash it before it is put in the database. It's not retrievable in plain text after this point.

#14 Chosen One

Chosen One

    Neowinian Senior

  • 2,285 posts
  • Joined: 11-April 04
  • Location: Toronto,Canada

Posted 25 April 2011 - 15:36

I Think that is suppose to be a temp password, it auto created an account for you so u can login. Whom ever sent you a gift, sent it to a email address that did not have an account.

#15 OP TGT

TGT

    RK-xxx

  • 448 posts
  • Joined: 11-April 05
  • Location: Markham, Ontario

Posted 26 April 2011 - 00:32

I Think that is suppose to be a temp password, it auto created an account for you so u can login. Whom ever sent you a gift, sent it to a email address that did not have an account.


Sadly, this isn't the case - it was actually my password that I had personally set for that account.