I recently found out that a VPN service does not hash their customer passwords and I need professional insight on how to deal with this.
Here's how I found out:
- Bought a subscription on the wrong email address.
- Changed the password for that account because the one they provided was weak.
- Asked support to change the account's email address.
- Support changed my email, which made me receive the following email.
I have anonymized the images for obvious reasons.
You can see that I had generated that exact password earlier that day. I had the console open to check the password length because I already had my suspicions. The length being exactly 30 made me double-check in my password manager.
I sent them an email but they didn't seem to understand what I meant. Looking back, I may have been too pushy about it.
What should I do?