Skip to main content

I just encountered something that raises a high degree of alarm with me.



I found that a client's mail hosting company captures and stores user passwords. They claim to do so for the sake of troubleshooting user accounts.



Is this common? This vendor talks as though this is a non-issue and not a big deal. I'm wanting to make the case to the powers that be that this is a huge security issue. But before I wind up with egg on my face I want to hit up some of you for a reality check.



It it unreasonable for me to be so alarmed over this?



Thank you.

It's reasonable to be mad at them @gskibum.

I remember years ago we ran Eudora Mail Server. My manager used to drag a clipping from a file (forget which) to the desktop of the OS 9 server, and there he had all users' passwords.



This got him fired. Just sayin'.

Yeah I'm miffed. I spent almost a full day doing troubleshooting they should have been doing themselves. Then I came to realize that they have captured & stored everyone's passwords! Tomorrow is going to be entertaining to say the least.



They were probably assuming I'm some dumb Mac guy. Or should I say dumb MAC guy. ;-)

I'd request mailbox access logs tied back to IP address to ensure that nobody there accessed your data, have your lawyers issue a C&D else they'll consider contacting law enforcement to see about potential criminal action (Computer Fraud and Abuse Act comes to mind), and promptly spin everyone's passwords.



If that doesn't sufficiently scare the ever loving shit out of them, change providers promptly.

Reply


Terms & ConditionsCookie settings