Really Direct 2 Drive, Really?

By TGT
in Gamers' Hangout

 Share

Recommended Posts

Rising Star

TGT

Posted
Posted

Went to try and purchase the Battlefield Bad Company 2: Vietnam expansion that was on sale today from Direct 2 Drive. For whatever reason, they weren't able to process my order, so my friend decided to gift it to me instead. When I got the e-mail, imagine my surprise when I saw this:

ZOvSt.png

They E-Mailed me my account password in paintext! What does this mean? My username, password and any related information to that account are all stored in a database - unencrypted. :angry:

Shocking, especially given the amount of news compromised databases this year.

Link to comment
https://www.neowin.net/forum/topic/992392-really-direct-2-drive-really/
Share on other sites
Rising Star

TGT

Posted
  • Author
Posted

That, my friend is ridiculous. I never really checked out D2D as I was never a huge PC gamer, but is there a reason you do not use Steam? I doubt Valve would allow this type of behavior.

I use and adore Steam. The expansion was on sale though, and I'm cheap (I bought BFBC2 when it was on sale through the EA store).

D2D being a store that deals with financial transactions, I had assumed that they'd be a little more responsible with my data though.

Grand Master

+Majesticmerc MVC

Posted
  • MVC
Posted

I would still say that the data will be encrypted, but it will be 2-way encryption, instead of doing what everyone else does and use a hash. Still, that's pretty apalling to email you your password. I have had websites do that to me as a "forgot your password" reminder, and it still makes me uneasy.

Rising Star

TGT

Posted
  • Author
Posted

I would still say that the data will be encrypted, but it will be 2-way encryption, instead of doing what everyone else does and use a hash. Still, that's pretty apalling to email you your password. I have had websites do that to me as a "forgot your password" reminder, and it still makes me uneasy.

Well then, maybe I've over-reacted.

However, given that the e-mail was automated, wouldn't that suggest that the pass-phrase / function used to encrypt the password would be found somewhere in the source code? If an attacker were to gain access to the database, then they could also gain access to the back-end code as well.

Grand Master

+Majesticmerc MVC

Posted
  • MVC
Posted

Well then, maybe I've over-reacted.

However, given that the e-mail was automated, wouldn't that suggest that the pass-phrase / function used to encrypt the password would be found somewhere in the source code? If an attacker were to gain access to the database, then they could also gain access to the back-end code as well.

Actually I don't think you did. When the email was sent, it was still sent (most likely) over an insecure path, free for anyone to intercept along the way.

Rising Star

TGT

Posted
  • Author
Posted

You should email / call about this. It may not make a difference, but still bring it to their attention.

Yup, opened a support ticket with them to let them know. Hopefully they'll be able to change this behavior.

Man, that's some short password you got there.

It's actually larger than that, I just botched up while doing the redaction. (Note the white space to the right of "You") ;)

Grand Master

Yusuf M. Veteran

Posted
  • Veteran
Posted

It's odd that they'd send you your actual password like that. I wouldn't be too worried though. A lot of services send you a randomly generated password after requesting a new password. I don't think it's any different in terms of security.

Proficient

Samn9

Posted
Posted

It's odd that they'd send you your actual password like that. I wouldn't be too worried though. A lot of services send you a randomly generated password after requesting a new password. I don't think it's any different in terms of security.

They generate the random password, send it to you in an email, then hash it before it is put in the database. It's not retrievable in plain text after this point.

Rising Star

TGT

Posted
  • Author
Posted

I Think that is suppose to be a temp password, it auto created an account for you so u can login. Whom ever sent you a gift, sent it to a email address that did not have an account.

Sadly, this isn't the case - it was actually my password that I had personally set for that account.

Grand Master

+LogicalApex MVC

Posted
  • MVC
Posted

I would bet that more sites that not still haven't learned the benefits of hashing passwords sadly. I wonder too how many of those that have take the time to also salt the password hash.

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted

I hate companies like that, when they send you emails with your ****ing password clear as day in the email.

They say **** like ... Login now with your password and the proceed to tell you in plain text what your ****ing password is. Idiots

Plenty of fish does the same thing

https://www.neowin.net/forum/topic/944688-online-security-at-its-best/

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Hey Google, these are the Gemini features I want in 2026

      By Snake Doc · Posted

      I used a Pixel 10 Pro XL when it first came out for about 8 months. When I first got it, it was using Google assistant and that was fast, when asking it to call somone etc. Then it automatically switched with some update to Gemini. Doing even the simplist of things like asking it to call someone in my contacts was soooooo slow compared to Google assistant. I guess it had to go out to the cloud to do that? Back on iPhone and while Siri is dumb right now, it does do those simple things, like call someone, set a timer, star the stop watch etc, really fast. That an while I like Google Material Design 3 over iOS 26, they Pixel 10 Pro XL was so slow in comparison to the iPhone 17 Pro I am using.
    • Hey Google, these are the Gemini features I want in 2026

      By Snake Doc · Posted

      I use Gemini in my rotation of AI clients...that work pays for. It is good at most things, better than copilot for imgage searching and making images, worse at writing vs Claude and way worse at hadling technical issues when it comes to Azure stuff. I also use YT premium and maps. Anything else Google is a pass for me. I have now seen multiple people locked out of their Google accounts for reasons that are just very vauge.
    • Microsoft is building an AI datacenter that "uses less water than a fast food restaurant"

      By Ivan Jenic · Posted

      Microsoft is building an AI datacenter that "uses less water than a fast food restaurant" by Ivan Jenic Image: Microsoft Microsoft has announced plans to build a new datacenter campus in Pecos, Texas, as the company continues to invest billions in AI infrastructure. The new facility, called project Kilby, will reportedly have a capacity of 2 gigawatts and will be one of the largest single capacity additions in the company’s history. To power the campus, Microsoft signed a 20-year deal with Chevron to supply natural gas from the Permian Basin, America's largest oil field. This deal is set to become the largest collaboration to date between a U.S. oil and gas giant and Big Tech. It’s no secret that Big Tech has often been criticized for exploiting natural resources for its AI developments. Microsoft is trying to mitigate some of that negative consensus by promising to build its own power supply for the new datacenter, independent of the public grid. The Pecos datacenter will be powered by a power plant hub, built by Chevron, with up to 2.5 gigawatts of gas-fired capacity, with potential to scale to up to 5 gigawatts. The facility will include at least seven GE Vernova turbines, with first power potentially coming online as early as late 2027 or early 2028. The power plant hub is part of an approximately $7 billion investment by Chevron, making it one of the largest dedicated energy projects tied to a single datacenter campus in the U.S. Microsoft hasn’t publicly disclosed the amount it’s investing in the new datacenter. Microsoft has also committed to implementing a closed-loop cooling system that will only require an initial water charge to operate. The company said that “the total lifecycle water use of this datacenter is only a fraction of that consumed annually by a typical fast-food restaurant.” What the press release doesn’t mention, however, is how much water the natural gas plant itself will consume, or how a 20-year fossil fuel commitment squares with the company's pledge to be carbon negative by 2030. The construction of the new datacenter should provide over 6,000 construction jobs at peak build-out, and create hundreds of operational job roles once the facility is built. Via: Reuters
    • Politically funny images of the World

      By +primortal · Posted

    • We now know when and how the Universe may truly end

      By +DDG3595 · Posted

      A lot of uncertainty in this story. Might. Could. Maybe. The truth is we don't know what will happen to the universe in the end, or if it will end. Our own Milky Way galaxy will merge with the Andromeda galaxy in about 2.5 billion years, with our solar system as part of a new, larger cluster. I guess we'll have to and see how it goes down.

  • Recent Achievements

    • Dedicated
      tuben earned a badge
      Dedicated
    • Week One Done
      mnsgroup earned a badge
      Week One Done
    • Conversation Starter
      sumytbe earned a badge
      Conversation Starter
    • One Year In
      B4dM1k3 earned a badge
      One Year In
    • One Year In
      DarkWun earned a badge
      One Year In

  • Popular Contributors

    1. 1
      +primortal
      523
    2. 2
      +Edouard
      195
    3. 3
      PsYcHoKiLLa
      94
    4. 4
      Michael Scrip
      82
    5. 5
      Steven P.
      67
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!