I am registered to a site which doesn't manage password correctly. It is a user area for a company that provides services of some sort and which uses the area to show details of the contracts and for payments.
Now, if I forget my password, there is a procedure that allows me to gain access to my area again. Problem: they email you your password back. And I cannot think of a way such behavior could be implemented with it being secure (and I'm pretty sure it's impossible, happy to be proven wrong.)
How could I approach the company to let them know the problem? What I thought so far is:
Just leave the site and don't use it. Well, the service is good and the user area is convenient, so this is really not an option.
Reach their privacy department through an email address I found somewhere on their site. I would do that, but I am not sure what to say, and also I am not sure if I should disclose who I am or keep anonymity.
Talk directly to the third-party privacy authority. Both I and the company are located in the EU and subject to GDPR, and in my country, there is a state-controlled authority that has some leverage in terms of privacy of data, and this looks to me like a big privacy concern.
I was thinking of starting with 2 and then move to 3 if no sensible response is received.