1. By continuing to use the site, you agree to the use of cookies .This website or its third-party tools use cookies, which are necessary to its functioning and required to achieve the purposes illustrated in the cookie policy.Find out more.
    Dismiss Notice
  2. Follow Casinomeister on Twitter | Facebook | YouTube | Casinomeister.us US Residents Click here! |  Svenska Svenska | 
Dismiss Notice
REGISTER NOW!! Why? Because you can't do diddly squat without having been registered!

At the moment you have limited access to view most discussions: you can't make contact with thousands of fellow players, affiliates, casino reps, and all sorts of other riff-raff.

Registration is fast, simple and absolutely free so please, join Casinomeister here!

GoldenPalace.com password security concern

Discussion in 'Casino Complaints - Non-Bonus Issues' started by halcyon1234, Dec 18, 2013.

    Dec 18, 2013
  1. halcyon1234

    halcyon1234 Dormant account

    Occupation:
    Student
    Location:
    Ontario
    It's been a long time since I've done any online gambling, though I still get daily spam from every casino I ever signed up with. No worries, it gets junked and ignored. Except for today. For some reason, the email from GoldenPalace caught my eye, and I opened it.

    Subject line is: Your account has been restored. Presumably accounts that haven't been logged into for a long time get deactivated, and this is their way of trying to nudge me back into logging on. Again, no problem so far. But then I read the email a bit more carefully, and it says "Find your account information below: username: <my old userID> password: <my ACTUAL plaintext password>."

    So they're sending out sensitive information in plaintext in an email, which is disturbing enough. BUT this also means from a technical standpoint, they are storing passwords insecurely. They aren't hashing the passwords. Passwords should NEVER be retrievable. This is a massive, MASSIVE security blunder. For those who know, you know, for those who don't-- you know when you hear about "so and so website had x million passwords stolen from them". This is why. If their database is ever compromised, not only will the attacker have your password to this site, but can then try out that password on your email-- on your other casinos-- on your payment account-- etc.

    This is as egregious as a car manufacture forgetting to put seatbelts in a car.

    Like I said, I haven't done any casinoing in a long time. My password back then isn't my password now (specifically because it had been compromised in other similar incidents). But I thought I'd post this as food for thought for anyone picking a casino, and taking the company's security practices into account when deciding if you should trust them with your money or not.
     
    4 people like this.
  2. Dec 18, 2013
  3. jetset

    jetset Ueber Meister CAG

    Occupation:
    Senior Partner, InfoPowa News Service
    Location:
    Earth
    What did these clowns say when you brought this to their attention?
     
  4. Dec 18, 2013
  5. halcyon1234

    halcyon1234 Dormant account

    Occupation:
    Student
    Location:
    Ontario
    I tend not to bring security holes to the attention of companies with a faltering business model + lawyers. =)
     
  6. Dec 18, 2013
  7. vinylweatherman

    vinylweatherman You type well loads CAG MM

    Occupation:
    STILL At Leisure
    Location:
    United Kingdom
    They have clearly not brought their procedures up to date. I recall this kind of email back in 2004, but in 2013 people have learned lessons from past hacks and security breaches and now only a username is sent via email. Many sites now only offer a password reset procedure, rather than a retrieval of a forgotten password.

    If any hackers know this company still uses last century's security standards when it comes to holding players' passwords, they are going to wonder what else is still "last century" in terms of security, making them a target for data theft.

    If they have their database stolen, and criminals manage to hack other assets based on the clear text passwords, they could send a whole team naked to the next winter Olympics, and it still won't draw in depositing players.
     

Share This Page