Joel says when he ordered a disc from DVD Planet via Amazon, the company automatically created an account for him on their website. The problem is that the default password they used was so easy to guess that he figured it out on the second try, and he suspects it’s the same password they use on every account. Once you guess it, you can see the customer’s past orders and credit card billing address. When Joel contacted them to have the account removed, he was told that wasn’t possible.
Here’s Joel’s letter:
I’ve encountered a problem with an online retailer’s weak privacy practices that I would like to make other consumers aware of.
I recently made a purchase from Digital Eyes/DVD Planet through Amazon’s Marketplace. When the company emailed me to confirm my order, they also informed me that they had created an account for me at their website, dvdplanet.com. While I find it irritating enough that someone would create an account under my name without my permission, I was surprised to discover that the password for this account was extremely easy to guess. It wasn’t even indicated in the email they sent me, and it only took me two tries to log in to my new account (it’s the same password they give to all of their customers who purchase through Amazon – go ahead, try to guess what it is).
Until I logged into this account that I didn’t ask for and changed the password, anyone who knows my email address and has half a brain could have logged into the account, where they would have found my credit card billing address (useful for identity thieves) and DVD purchase history with the company (a plain old breach of my privacy).
I frequently overlook the order confirmation messages I get from Marketplace sellers, since they’re all essentially the same. I’m sure there are plenty of others out there who do the same thing. If any of them have ever purchased from Digital Eyes/DVD Planet, they may not even know that they’ve had an account created in their name with a password a monkey could figure out, and which contains their billing information. I think they should know their private information could be exposed to virtually anyone.
When I emailed the company to have my account deleted (firstname.lastname@example.org), customer service twice attempted to tell me that accounts cannot be deleted once they’ve been created. After I pointed out that this situation is not possible, they’ve informed me that my request has been forwarded to the appropriate department. Although I plan to follow through to make sure my account is erased once and for all, there was no indication in the correspondence I had with customer service that the company might be willing to consider that this practice is maybe a bad idea.
(Photo: Darwin Bell)