Why is Daz exposing user email addresses?

barbultbarbult Posts: 24,369

Today is the third time recently that I've seen user email addresses exposed by Daz. The first two were in forum postings. The third was in a private message. These were three different users - two were PAs and one was a normal user. In the fourm, the email address was shown where the username should have been, under the user's avatar. Obviously, I'm not going to post a screenshot here and make the exposure worse. This is worrisome. Our email addresses should not be exposed by Daz. Only our username should be visible to other users.

Comments

  • FenixPhoenixFenixPhoenix Posts: 3,089

    This happened to me. When you turn off the mature filter, your username becomes your email address. So you must be careful when doing that and ensure that they change it back to what it should be.

    Example.JPG
    609 x 580 - 28K
  • frank0314frank0314 Posts: 14,120

    We talked with them about it again yesterday and they are looking into it. 

  • SofaCitizenSofaCitizen Posts: 1,913

    FenixPhoenix said:

    This happened to me. When you turn off the mature filter, your username becomes your email address. So you must be careful when doing that and ensure that they change it back to what it should be.

    That sounds like maybe a browser-prefill thing getting confused maybe?  Either that or new code as I switched off the filter a while ago and my username seems to be intact.

    Either way, it would probably be best for Daz to implement some validation on usernames to disallow ampersands.

  • barbultbarbult Posts: 24,369

    FenixPhoenix said:

    This happened to me. When you turn off the mature filter, your username becomes your email address. So you must be careful when doing that and ensure that they change it back to what it should be.

    Thank you for that explanation. Your's was not one that I had seen. 

  • barbultbarbult Posts: 24,369

    frank0314 said:

    We talked with them about it again yesterday and they are looking into it. 

    Day by day, Daz3D is losing our trust with things like this. Thanks for keeping after them. Exposing personal details like this is totally unacceptable.

  • FenixPhoenixFenixPhoenix Posts: 3,089
    Yeah, luckily for me I caught it right away. Then when I decided to switch the mature filter back on so I could take note of what was and wasn't hidden, I realized that's when the username got changed again to my email address.
  • frank0314frank0314 Posts: 14,120

    In looking at this Daz found that AutoComplete can put the email into the username field automatically, presumably depending on what browser you use and perhaps on what you are doing on the page. If you change settings on your account page (changing the mature content filter, for example) then check the other fields are as you want them before accepting. It isn't an action on Daz' part, which is why it seems to affect only a few users.

  • frank0314frank0314 Posts: 14,120
    edited April 6

    barbult said:

    frank0314 said:

    We talked with them about it again yesterday and they are looking into it. 

    Day by day, Daz3D is losing our trust with things like this. Thanks for keeping after them. Exposing personal details like this is totally unacceptable.

    We tend to catch them pretty quickly and notify the user that it needs to be changed. 80% of the time we usually know who the person is but we don't change people's info without their permission

    Post edited by frank0314 on
  • barbultbarbult Posts: 24,369

    Companies get fined big bucks for data breaches of customers' personal info.

  • FenixPhoenixFenixPhoenix Posts: 3,089
    I use Firefox as a browser in case that is useful information.
  • barbultbarbult Posts: 24,369

    SofaCitizen said:

    FenixPhoenix said:

    This happened to me. When you turn off the mature filter, your username becomes your email address. So you must be careful when doing that and ensure that they change it back to what it should be.

    That sounds like maybe a browser-prefill thing getting confused maybe?  Either that or new code as I switched off the filter a while ago and my username seems to be intact.

    Either way, it would probably be best for Daz to implement some validation on usernames to disallow ampersands.

    I think you mean at sign (@), not ampersand (&). But, yes, that seems like a reasonable idea.

  • barbultbarbult Posts: 24,369

    frank0314 said:

    barbult said:

    frank0314 said:

    We talked with them about it again yesterday and they are looking into it. 

    Day by day, Daz3D is losing our trust with things like this. Thanks for keeping after them. Exposing personal details like this is totally unacceptable.

    We tend to catch them pretty quickly and notify the user that it needs to be changed. 80% of the time we usually know who the person is but we don't change people's info without their permission

    Thank you and other admins for helping.

  • tsroemitsroemi Posts: 2,777

    @barbult, thanks for alerting us to this. This really shouldn't be happening to anyone, no matter which browser. For the DAZ team, I seem to be good, and I'm mostly on iPad, DuckDuckGo browser, if it's any help.

  • memcneil70memcneil70 Posts: 4,195

    I had seen one user flipping back and forth over the past few days, wasn't sure what was up. I hope that person checks this thread out.

  • Richard HaseltineRichard Haseltine Posts: 101,372

    If it is AutoComplete or something like that then it isn't really anything Daz is doing. If it were daz I'd expect it to affect everyone who performed the required trigger actions - and i certainly didn't get my user name changed when I tried toggling the Mature filter as a test, nor have others (but I usually don't enable any auto-complete features, which backs up that diagnosis).

  • TaozTaoz Posts: 9,957

    barbult said:

    Companies get fined big bucks for data breaches of customers' personal info.

    But who gets the money?  Not those it affects, to my knowledge. 

  • barbultbarbult Posts: 24,369
    Taoz said:

    barbult said:

    Companies get fined big bucks for data breaches of customers' personal info.

    But who gets the money?  Not those it affects, to my knowledge. 

    Lawyers probably get a big share. Affected users in the class get something, from my experience.
  • NorthOf45NorthOf45 Posts: 5,513

    Maybe they get ad-free Facebook for a year...

  • TaozTaoz Posts: 9,957
    edited April 8

    barbult said:

    Taoz said:

    barbult said:

    Companies get fined big bucks for data breaches of customers' personal info.

    But who gets the money?  Not those it affects, to my knowledge. 

    Lawyers probably get a big share. Affected users in the class get something, from my experience.

    But only if you're part of the class, I guess.  They most likely do have the data for all the affected users, so they could compensate them all, it they wanted. 

    I've had enough now, currently replacing my 20+ year old email address.  It's been leaked from 18 different companies and sources over time, so the spammer\scammers now have my full name and email, and god knows what else.  Takes a lot of time and work to replace it with the new one on those hundreds of things I'm subscribed to.  

    Post edited by Taoz on
  • SofaCitizenSofaCitizen Posts: 1,913

    barbult said:

    I think you mean at sign (@), not ampersand (&). But, yes, that seems like a reasonable idea.

    Ooops! Yes, that's what I had in my head that obviously took a wrong turn by the time it got to my fingers when typing it out :(

  • barbultbarbult Posts: 24,369

    Taoz said:

    barbult said:

    Taoz said:

    barbult said:

    Companies get fined big bucks for data breaches of customers' personal info.

    But who gets the money?  Not those it affects, to my knowledge. 

    Lawyers probably get a big share. Affected users in the class get something, from my experience.

    But not if you're part of the class, I guess.  They most likely do have the data for all the affected users, so they could compensate them all, it they wanted. 

    I've had enough now, currently replacing my 20+ year old email address.  It's been leaked from 18 different companies and sources over time, so the spammer\scammers now have my full name and email, and god knows what else.  Takes a lot of time and work to replace it with the new one on those hundreds of things I'm subscribed to.  

    I have a similar ongoing project of changing email addresses and passwords on many years worth of online accounts and websites, because of multiple leaks. I get about 30 spam and pfishing messages a day. It is rapidly on the rise lately.  ATT is accused of a huge personal data leak, which they deny.

  • nonesuch00nonesuch00 Posts: 18,163

    I get autocompletely wrong most of the websites and apps I use. I thought those input field were supposed to be tagged with data types in this modern age?

  • KerseyKersey Posts: 73

    It happend to me too, and it is as mentioned by some, due to your own browsers autofill. It changes your username when you want to change something in your preferences. Best way for Daz to deal with it is to not allow autofill for that field (or just call it profilename instead of username, since many browsers often put email in username fields if it doesn't have any other info). That way your username will not be overwritten by your browser.

    When I go in now though, it keeps my username as it is. My autofill has learned that Kersey, and not my email, is my username.

  • mcorrmcorr Posts: 1,093
    edited April 8

    barbult said:

    Taoz said:

    barbult said:

    Taoz said:

    barbult said:

    Companies get fined big bucks for data breaches of customers' personal info.

    But who gets the money?  Not those it affects, to my knowledge. 

    Lawyers probably get a big share. Affected users in the class get something, from my experience.

    But not if you're part of the class, I guess.  They most likely do have the data for all the affected users, so they could compensate them all, it they wanted. 

    I've had enough now, currently replacing my 20+ year old email address.  It's been leaked from 18 different companies and sources over time, so the spammer\scammers now have my full name and email, and god knows what else.  Takes a lot of time and work to replace it with the new one on those hundreds of things I'm subscribed to.  

    I have a similar ongoing project of changing email addresses and passwords on many years worth of online accounts and websites, because of multiple leaks. I get about 30 spam and pfishing messages a day. It is rapidly on the rise lately.  ATT is accused of a huge personal data leak, which they deny.

    I second the idea of tightening ones security on the web. It is best to assume that your email address will/can be hackied or found out sooner or later, for whatever reason. 

    You can check if your email address has fallen into the wrong hands here: https://haveibeenpwned.com/

    I was once told everybody should use different accounts for different purposes: disposable one-off email adresses as much as possible, if necessary an account (or different ones) for shopping at certain online stores, and then other addresses for friends. But even in the case of friends, if they click through on certain apps without reading the TOS, they might be allowing that company to rummage through their contacts, scoop up your info, and suddenly you get spammed from a place (using your first and last name) you have never had any contact with. Then that company gets hacked and suddened you get phishing emails. Fun fun. So, you must also protect yourself from the negligent behavior of friends and family. Welcome to the new normal.

    It's going to take some reading up on all of this (if you are unfamiliar with all the potential vulnerabilities one is subjected to, and how to best guard against them) and an investment in time to make all the necessary changes, which should include carefully selecting which browser to use, what add-ons you do or don't install, etc., because browsers can also be subject to attacks that can leak info. Then, of course, life without a VPN (from a reliable company, so research that too) has become unthinkable, so you better have one of those too.

    With regard to autocompletes and the like, I personally would NEVER leave a credit card sitting in the database of a company. That is just another unnecessary risk that is part of so-called conveniences that are anything but that when they fail, which they do all the time. GI would also get a disposable VISA debit card (or any kind that can be charged up, but has no credit line) to limit whatever damage can happen if somebody does get your numbers, even if you don't use autocomplete. Moreover, I personally never let browsers store site passwords. Those can also be hacked

    The work that needs to be done to protect oneself will, as I said, require some research, time and determination.

    With regard to DAZ, please implement protocols that proactively protect you and your customers so that whatever browser (or whatever) they use can't create problems. I am sure there are ways to do that.

    Post edited by mcorr on
  • GoggerGogger Posts: 2,401

    It happened on mine, but purely by coincidence I actually was trying to change my DAZ email address in my profile and just thought I had messed something up (I didn't) but noticed fairly quickly and fixed it.  Thanks Barbult for letting people know, even though I already had it sorted, I appreciate you "watching out for us".

    Apparently you can't change your defult DAZ email yourself (or at least I couldn't get it to stick) so am assuming it requires a CS ticket. 

    Also, I use Firefox on DeskTop PC and Safari on iPad.

Sign In or Register to comment.