Found out that a paid VPN service emails plaintext passwords

Asked Nov 08 '20 at 12:01

Active Nov 08 '20 at 12:09

Viewed 22 times

I recently found out that a VPN service does not hash their customer passwords and I need professional insight on how to deal with this.

Here's how I found out:

Bought a subscription on the wrong email address.
Changed the password for that account because the one they provided was weak.
Asked support to change the account's email address.
Support changed my email, which made me receive the following email.

I have anonymized the images for obvious reasons.

You can see that I had generated that exact password earlier that day. I had the console open to check the password length because I already had my suspicions. The length being exactly 30 made me double-check in my password manager.

I sent them an email but they didn't seem to understand what I meant. Looking back, I may have been too pushy about it.

What should I do?

edited Nov 08 '20 at 12:09

schroeder

123,438
55
284
319

asked Nov 08 '20 at 12:01

MattIzSpooky

What do you want to do? What outcome are you looking for? – schroeder Nov 08 '20 at 12:10
@schroeder, I would like to inform current customers and have the company be more careful when dealing with sensitive data. – MattIzSpooky Nov 08 '20 at 12:21
Really all you could do is complain to their support, maybe @ them on Twitter or post on Reddit or something. But that's all up to you. – multithr3at3d Nov 08 '20 at 15:24

Found out that a paid VPN service emails plaintext passwords

0 Answers0