Help get this topic noticed by sharing it on Twitter, Facebook, or email.
I’m frightened.

JSR account security fail

Made an order with Post-War Trade through JSR Direct. After I'd created the account, I went to change some info on my account. However, when logged in from the PWT site, the links to update account info or change passwords just 404d.

I sent an e-mail to their support asking when they'd be fixed, and go a horrifying response. They'd just preemptively reset my account password to "12345", and sent that along in e-mail, without me asking them to.

Not only does this contravene all best practices for password resets on websites, it also ignores the problem I actually reported (which is still broken, and appears to be a coding error on the site page), *AND* makes it very easy to get someone else's password reset, login to their account, and steal any saved credit card info.

I'm sorry, Amanda, but as soon as my order's processed I'll be cancelling my JSR account and never ever shopping through them again. I love you, but this is just too much failboat with my personal and banking info, they clearly don't know what they're doing.
1 person has
this problem
+1
Reply