passwords going through email
-
I do have a website through WP, but this is about something different. I signed up for a campaign on Amnesty International. I had to establish a username and PW for that purpose.
Apparently, AI uses WP, because the next day, I rec’d an email from WP revealing my PW and other sign-in info. I don’t want my passwords sent revealed through an open email account, which could be vulnerable to hacking. Other sites always asterisk these things.
That’s a big reveal and now my email address is technically and indirectly vulnerable. I understand that WP takes great pains at security, but also know that good hackers can get by almost anything.
Why is WP sending spelled out PW’s through email?
-
Hi there,
Amnesty International’s website is not on WordPress.com, so we have no access to any of their data, least of all passwords. We also never send passwords via email for any reason, so I’m certain the email you received was not from us. Someone might have been spoofing the email to make it seem like it came from us, but we definitely did not send you an email with your login details for a website completely unrelated to us.
I suggest you rather get in contact with AI. If there is any security breach in this case it’s with them.
-
Thanks for your quick reply! I was also communicating w/ AI, so delayed responding to your answer. They have been very responsive also and the tech guy sent me this:
*****
“Hi Sue,
Thanks for bringing this concern to our attention! We’ve removed that email process now so no one will get their password sent to them like this anymore.
Best,
Dan[redacted by staff]
*****
So I waited a couple of days and tried to change my AI PW (successfully). There has not been a repeat occurrence of my new PW being sent back to me unencrypted (so far). But you will find the message I got during the PW change process rather interesting (copied here off the redirection from AI, complete w/ header identifier WordPress):
*****
WordPress
To: Susan Linden
[Write For Rights] Password ResetSomeone has requested a password reset for the following account:
Username: (email visible only to moderators and staff)
If this was a mistake, just ignore this email and nothing will happen.
To reset your password, visit the following address:
<[redacted by staff]>
*****
I really don’t believe it’s bogus. Somehow AI must be connected w/ WordPress. If you think otherwise, I’d really like to know!
-
It appears that that site is connected to WordPress.com via the Jetpack plugin, but that plugin has nothing to do with the user accounts on a self-hosted WordPress site.
It could be that they have never changed the default settings for the email the WordPress software generates to show their correct info in the email header.
The key here would be the actual FROM address. If it’s not donotreply @ wordpress.com, that email was not generated by our system.
(I’ve redacted the password reset link from the thread, as anyone could use that to gain access to your account on that site. Please don’t post sensitive information like that in a public forum.)
-
Thanks for straightening that out, Kokkieh . . . and for redacting my info. I didn’t think I forwarded any sensitive info, but apparently slipped up. Ironic, considering my whole concern was about internet privacy!
I may forward your reply to AI tech for their perusal. I’ve avoided forums in the past because the questions on others seem to linger unanswered for months. Now I have a new opinion of them, based on your quick attention to this issue.
It’s a good recommendation for using WordPress for one’s site, as I do…!
-
I’m glad I could help.
The folks at AI hopefully knows this, but they’re welcome to reach out to Jetpack support directly should they need help with the email notification created by that plugin, though I don’t think that’s the culprit here.
Your welcome to forward my reply to them, though without access to their site’s dashboard I really have no way of knowing exactly what the problem is so all I can do is speculate :)
- The topic ‘passwords going through email’ is closed to new replies.
WordPress.com Forums 