Joel says when he ordered a disc from DVD Planet via Amazon, the company automatically created an account for him on their website. The problem is that the default password they used was so easy to guess that he figured it out on the second try, and he suspects it's the same password they use on every account. Once you guess it, you can see the customer's past orders and credit card billing address. When Joel contacted them to have the account removed, he was told that wasn't possible.
Here's Joel's letter:
Quote:
I've encountered a problem with an online retailer's weak privacy practices that I would like to make other consumers aware of.
I recently made a purchase from Digital Eyes/DVD Planet through Amazon's Marketplace. When the company emailed me to confirm my order, they also informed me that they had created an account for me at their website, dvdplanet.com. While I find it irritating enough that someone would create an account under my name without my permission, I was surprised to discover that the password for this account was extremely easy to guess. It wasn't even indicated in the email they sent me, and it only took me two tries to log in to my new account (it's the same password they give to all of their customers who purchase through Amazon - go ahead, try to guess what it is).
Until I logged into this account that I didn't ask for and changed the password, anyone who knows my email address and has half a brain could have logged into the account, where they would have found my credit card billing address (useful for identity thieves) and DVD purchase history with the company (a plain old breach of my privacy).
I frequently overlook the order confirmation messages I get from Marketplace sellers, since they're all essentially the same. I'm sure there are plenty of others out there who do the same thing. If any of them have ever purchased from Digital Eyes/DVD Planet, they may not even know that they've had an account created in their name with a password a monkey could figure out, and which contains their billing information. I think they should know their private information could be exposed to virtually anyone.
When I emailed the company to have my account deleted (amazon@digitaleyes.net), customer service twice attempted to tell me that accounts cannot be deleted once they've been created. After I pointed out that this situation is not possible, they've informed me that my request has been forwarded to the appropriate department. Although I plan to follow through to make sure my account is erased once and for all, there was no indication in the correspondence I had with customer service that the company might be willing to consider that this practice is maybe a bad idea.
Dear DVD Planet, you might want to sit down with the person who designed your customer account system and have a long talk. You know, about things like data security. After we posted this story yesterday about an Amazon shopper who was surprised to find you'd automatically created a barely secure account in his name with his data, another reader—this time a former eBay customer from nearly two years ago—decided to check whether you'd done the same thing to her. Yep! And the password was "Ebay."
Here's the letter this customer just sent to DVD Planet:
Quote:
Hello, DVD Planet.
I just came across this post at consumerist.com, and it left me wondering if my 3/19/07 order of a DVD from your business (through Ebay) resulted in the creation of an account on dvdplanet.com. I utilized your "Forgot password?" feature, and within minutes I was able to receive an email with the password that you've created for my account — "Ebay" — in the body of the email. It's not the most secure password in the world; additionally, I was somewhat surprised to see that you'd deliver the actual password into my inbox (instead of providing me with a reset password).
Because of these security concerns, I'm wary of making a purchase from your business on EBay (or Amazon, or directly through dvdplanet.com) again. I don't feel comfortable knowing that you created an account with my email address that includes an easy-to-guess password that gives access to the billing address I used in my 2007 order. I only authorized a one-time purchase through Ebay; I did not authorize the creation of an account on your website. As such, I would like you to remove all of my account information, including my order history, billing address, and any other information about me that is housed on your web site.
Please contact me when this removal is complete so that I may try logging in to verify that my account no longer exists.
Thank you for writing to us with your concern. Please rest assured that Amazon.com is not in the business of selling customer information. In the case you listed as an example, the only information Amazon would allow the seller, DVD Planet, to see is the buyer's name and shipping address. All other information, such as credit card, email address, and order history are kept private.
There are only a few ways in which this seller could have access to the buyer's email address. If the buyer has his email address listed in his public profile on Amazon or if he contacted the seller directly, instead of using the "Contact Seller" link he is provided (which allows buyer to send his message through Amazon to keep his information private), then the seller would have access to his email address.
That being said, this type of activity from one of our sellers is unacceptable. I have brought this to the attention of the appropriate department within Amazon.com for investigation. For account privacy reasons, we cannot disclose the outcome of any investigation we may perform or actions taken against other accounts.
Please note that our Privacy Notice was instituted in order to clarify the ways that we collect and share information. It is intended to help our customers make informed decisions about sharing personal data with us when shopping on our web site. The information mentioned in our Privacy Notice refers to information given by customers who visit Amazon.com, not to that information provided by members of our Advantage or Associates programs as part of these programs, or by sellers through our third-party platforms in connection with sales on those platforms.
To read our Privacy Notice in full, please visit the following URL:
All countries
Argentina
Austria
Belgium
Brazil
Bulgaria
Chile
China
Colombia
Cyprus
Czech Republic
Estonia
Denmark
Finland
Greece
Hong Kong
Hungary
Iceland
Indonesia
Ireland
Israel
India
Latvia
Lithuania
Malaysia
New Zealand
Norway
Philippines
Poland
Portugal
Romania
Russia
Singapore
South Africa
South Korea
Sweden
Switzerland
Taiwan
Thailand
Turkey
Ukraine
United Arab Emirates
Security Warning about DVD Planet!!
Linear Mode
