All,
I received this email yesterday.
Can someone address how much of this is true, and if there is anything I can do to rectify it?
Thanks in advance. The email...
================================================
Your website forum 'forum.pianoworld.com' is providing passwords in clear-text via email upon registration and is also not offering encrypted communications while browsing the page. This presents a security risk to users of the site if a malicious actor were to target the web page. Knowing that the password is sent via email poses many threats, including, but not limited to, the presence of plain-text passwords in the password store which, if breached, could allow an attacker to impersonate any user on the site, or worse, use shared credentials of targeted individuals on other websites (such as a user's bank if they re-use the same password). The presence of a clear-text password in the email registratoin also indicates that the password is sent unsecured via the internet and could be intercepted at any location enroute to the user, it is also stored in the user's mailbox and could be captured if the user's mailbox were being monitored -- this allows an attacker to again impersonate the user, or use this password on other sites which may share the same credentials.
The communication between the browser and the forums page is not encrypted, including during login, which means an attacker which sits between a user and the forums login can scrape the password from the unencrypted communications and again impersonate the user. It stands to reason that the software hosting the forums is likely very outdated and likely contains extensive bugs that could allow an attacker to gain unauthorized access to the forum. With this, the attacker could implant malicious software, monitor user logins, use the hosting platform as a attack vector for other malicious content, etc.
Please update and secure your services immediately
