Ace Seeds-User Account Passwords (In)security

GKM420

Active Member
Hi Folks,

Just a heads-up that Ace Seeds stores their user account passwords in plaintext, IE. not encrypted.

I made this unfortunate discovery as I wanted to place an order...until I received an email from them with my username and password in the email! Needless to say, I won't be following through on the order...Seriously, this is website security 101.

Why is this an issue? If someone were to hack their website, they would have access to your username, email address, and password. They could then use that information to login to your account and see your personal information, including your address-all without your knowledge. Ace Seeds allows you to store multiple alternative addresses, including friends and family, according to their website. So you might not be just burning yourself, you might burn your friends and family as well. Great!

Normally, a hacker could still obtain your passwords, but they would be encrypted and the hacker would have to spend time and energy trying to crack them. Still not great, but it's the least a website owner can do to protect their customers.

I sent Ace Seeds an email a week ago and they have not responded, so I wanted to reach out and warn people. In my country, cannabis is legal. Imagine you live in a country where it is not and a hacker obtains your address and order information? Not great.

This is disappointing as encrypting user account passwords is the least a website owner can do. It's extremely easy and considered to be standard practice- especially for websites that process financial transactions.

Stay safe, folks!
 
Top