Database Bug At Woot Leaves Reader Wary Of Ordering

Robear wanted to order from shirt.woot, but something strange happened when he went to register. After choosing a username and entering his e-mail address, he noticed that all of the forms were pre-populated with another customer’s information…including that user’s credit card information. He contacted Woot to try to find out what could have happened, but Woot either hasn’t figured it out yet, or just isn’t responding. (UPDATE: Response from Woot below.)

On September 28th, 2009 I saw a shirt that I wanted to buy on the famous shirt.woot.com website. I clicked the “I want one” button and created an account by supplying a username and email address. I was then taken to my account information page to fill in my personal information. This is where the problem began. To my surprise, almost all of the fields on this page were already pre-populated with another user’s information. This included the following information about that user:

– Their name
– Pieces of credit card information (xxxx-xxxx-xxxx-, expiry date)
– Their shipping address (this user’s place of work)
– Their billing address (this user’s apartment)

Although this user’s credit card number was luckily not revealed in its entirety to me, I am guessing that if I had left it untouched and simply clicked the “this info is correct” button I would have been able to complete my order and have it charged to this user. Upon seeing this user’s information, I immediately sent am email to Woot’s bug reporting address codeslaves@woot.com, alerting them to what had happened and to what I referred to as a “Massive Security/Privacy Breach”. I attached a screenshot of the information that was shown to me and I also asked that they remove the account I had created from their site and disassociate my email address and username from the compromised user’s account.

Two weeks passed, and I had still not received a response from Woot. So on October 12th, I then sent them a second email, this time to privacy@woot.com. I found this address in their privacy policy, and it is to be used to request removal of personal information from their database. I told them that I had not heard back from them and included my original email and screenshot. 18 days have since passed, and I have still not received any responses from anyone at Woot. I can also still log on to their site using the account I had created and see the other user’s information. I should also probably point out that this user works for what I will call a fairly well known organization in New York City. A simple web search confirmed this, as I was able to find this person’s name and email address on this organization’s website.

So, in total, it has now been 32 days and I have yet to receive any response from Woot. I personally find this unacceptable, considering the fact that I am trying to bring a problem with their site to their attention. I am wondering how I should proceed from here. Should I try contacting the other user and alerting them to the fact that their personal information has been leaked to me and potentially many other people? I would like this person to know that their information has been compromised, but I don’t know how they would react. I would prefer to do this anonymously. Also, should Woot not be obligated to respond to a personal information removal request within a certain time frame? If so, do you know what it is? What do I do If i never hear back from them?

As far as my relationship with Woot is concerned, I think it’s clear that I wont be purchasing anything from them anytime in the future.

Any e-commerce experts have any ideas about what could be going on? Have any other readers experienced customer database strangeness at Woot?

UPDATE: Woot has contacted Robear, and the company’s founder and CEO showed up in the comments to this post to express his point of view and concerns. Click here to go to the thread.

Unfortunately, this is indeed the first our team has been aware of this report or any similar circumstance. Robear, thank you for identifying the glitch and taking steps to contact us. My apologies for our communication problems after your unsettling experience. Our customer service team’s primary email (service@woot.com) should have been in the loop on the privacy address and we’re tracking down what may have occurred whether it was missed on our end or if perhaps a follow up was lost to you – in either case it is clearly our mistake for this not elevating to our development team with urgency. I would also like to confirm that we have the screenshot you supplied at this time and that is of great assistance in the matter.

As to the issue reported, be assured, no credit card information or even the ability to order would have been available with the profile mismatch that is described. We use ASP.net profile management web services from Microsoft that are in widespread secure use, but security of actual transaction information is protected by other features designed at woot. However, the population on your order form of a users name and address is an unacceptable fault to have occurred and we will take steps to ensure it doesn’t occur again.

As privacy geeks ourselves, we are obsessive about these matters and value the trust that others place with us. If anyone has a privacy related concern, I would like to make sure future communication issues do not occur. My email at woot is mrutledge@woot.com – if you or anyone else has a security issue that needs my awareness, please cc me on any correspondence. (also, side topic but if you have a service issue that’s not taken care of to your satisfaction, I would enjoy a direct report on that as well – while we set expectations low on service levels, we pride ourselves on responsiveness and take quick corrective action when necessary)

Thanks to the Consumerist and readers for being there as a resource to bring this to our attention, and thank you again Robear for your time involved. Once this matter is comfortably resolved, I hope we can share a chuckle on the irony of the shirt that it occurred on.

Matt Rutledge
Founder & CEO

(Photo: Brian Jackson Now)