Dear DVD Planet, you might want to sit down with the person who designed your customer account system and have a long talk. You know, about things like data security. After we posted this story yesterday about an Amazon shopper who was surprised to find you’d automatically created a barely secure account in his name with his data, another reader—this time a former eBay customer from nearly two years ago—decided to check whether you’d done the same thing to her. Yep! And the password was “Ebay.”
Here’s the letter this customer just sent to DVD Planet:
Hello, DVD Planet.
I just came across this post at consumerist.com, and it left me wondering if my 3/19/07 order of a DVD from your business (through Ebay) resulted in the creation of an account on dvdplanet.com. I utilized your “Forgot password?” feature, and within minutes I was able to receive an email with the password that you’ve created for my account — “Ebay” — in the body of the email. It’s not the most secure password in the world; additionally, I was somewhat surprised to see that you’d deliver the actual password into my inbox (instead of providing me with a reset password).
Because of these security concerns, I’m wary of making a purchase from your business on EBay (or Amazon, or directly through dvdplanet.com) again. I don’t feel comfortable knowing that you created an account with my email address that includes an easy-to-guess password that gives access to the billing address I used in my 2007 order. I only authorized a one-time purchase through Ebay; I did not authorize the creation of an account on your website. As such, I would like you to remove all of my account information, including my order history, billing address, and any other information about me that is housed on your web site.
Please contact me when this removal is complete so that I may try logging in to verify that my account no longer exists.
(Photo: Laura Brunow Miner)