2 stories in two days. Wonder if they will make changes.

I have to wonder how many eBay purchasers just happen to have that exact same password.

I was at one time a programmer for online sites. All the time we used the password "Test" as the password for all user accounts. Then once it went to a URL test we changed it to another password and left it there. Seem the programmer made it make the account and where they bought the item from. I really do not think this was to be part of a live site. This should have been taken out before going live. Maybe it was? There have been times once a site goes live. They go to a backup before the changes.

Its not uncommon for sites to make you a account if you want it or not on their site once you buy something. But it is uncommon for them not to ask you for a username and password.

The ridiculous part is-- how flippin' hard is it to generate a random password? Its a pretty simple program that anyone in charge of setting up a customer order web-based database should be able to do. This is just carelessness/thoughtlessness.

Hint: You can either generate a 6-10 character password made up of random characters (easy!) or

You can draw from a library of hundreds of words + a random 4 digit number-- again... pretty flippin' easy.

So...you buy something from a customer on ebay, and because of the paypal transaction you have their email address.

You then see their feedback, and notice they bought a DVD from DVD Planet. You then go to their website, use their paypal email address, and the password "eBay" to get into their account and view all their info?

Is it REALLY that simple?

@concordia: I'm going to throw out a random guess....oh, 104,865, maybe?

[myworld.ebay.com]

This reminds me of this past election. I was requesting information for the candidates for Senate and for most, the only form of public contact was a web form. Well one of the Senator candidates websites automatically signed me up for their news letter after submitting the contact form. There was no way to opt out before submitting the form and no warning telling me they were going to do that.

After submitting the message, they then had a message that said "Thank you for signing up for our news letter." or something to that effect.

This kind of stuff needs to be illegal.

@ezacharyk: It's one thing to notify you that you were signed up for a news letter w/o your request. It's another to have all your personal info stored on a poorly protected website, and never be made aware of this fact.

@AlteredBeast: wowzers, thats TWO things! And they're different, but simular!

What is with that website? Are those US Dollars? Their prices are insane. Prices like $38 marked down to $20 for a regular DVD? I have a hard time paying that for a blu ray.

@summerbee: Well done, sir.

@hi: While they are similar in that someone is being signed up for something they didn't requested, but it's the end result that is the issue.

If I'm signed up for a mailer or advertisement without my consent, that is just annoying but not a security concern.

DVD Planet is causing a security concern, opening up the customer to identity theft through neglect. Much different than just getting a mailer you didn't request.

@AlteredBeast: quite possibly.

@Saboth: Their prices aren't bad, but deepdiscount.com usually beats them, especially when you factor in shipping. DVDPlanet's shipping isn't stellar and their customer service sucks.

@idip: You know, I think the only change that they need to make is how they market this… They're providing a service to anyone that has ever known someone that bought a DVD from them. For instance, say I know my friend's email address, but not his real house address… I can go to the website, enter his email address and the keyword 'ebay', and then drive to his house with no problem!

@AlteredBeast: you are correct. i was just being silly on your account.

They shouldn't be making accounts at all. They have guest purchase instead.

If any site is able to eMail you the password in plain text, then that means that the password is either not encrypted or not encrypted very well. You should avoid giving too much information to a site that doesn't encrypt their passwords because who knows what else they don't encrypt.

@ezacharyk: I have a similar story with a different punchline. I wanted to offer some screen captures to Congressman Ed Markey (from my state, but not my district) who serves on a committee dealing with cable TV issues. I think it had something to do with the Charter web browsing monitoring debacle last year.

I used the webform, sent him a message, and got back two things:

1. A reply email saying, "sorry, we won't be responding to your message because you don't live in the congressman's district", and

2. An unwanted subscription to his email newsletter.

Does one's DVD Planet account have one's credit card information tied to it?

DVDPlanet has been a seller on both Ebay and Amazon Marketplace for many years and has always maintained very high feedback ratings. When this morning’s concerns regarding our process of allowing customers to view their order status on our website came to our attention, we immediately closed all of the DVDPlanet accounts associated with Ebay and Amazon Marketplace orders. These accounts were simply created to allow customers to view their order status, something that customers could not do through Ebay or Amazon Marketplace, and for no other use or purpose. We do not collect or store any credit card information in those accounts but do understand the privacy concerns that have been raised. The process of allowing Ebay and Amazon Marketplace customers to log onto our site to view order status has been terminated and all existing accounts created for that purpose have been closed. We apologize for any concerns that this may have caused.

This is being blown out of proportion like many of the recent consumerist articles.

When anybody clicks a "forget password", a new password is created overtop of the old password so that the customer can go in an change the password that they forgot. Good websites can't see the password you set, or in this case, didn't set. Its encrypted on their side.

What I'm trying to say is there aren't any security holes here that DVD Planet should be overly concerned about. After you click "Forgot Password", it is your responsibility to change that password.

@Sean Tapscott: New password created "overtop" the old password? Not for dvdplanet.com -- they sent the actual password in the text of the email.