Labour’s passwords

’s security issues go beyond the fact they left their entire server contents available for anyone to see if they went to one of their campaign . Their passwords are now in Google.

Whale blogs:

Com­menters at Kiwiblog and other sites quickly realised what I did long ago and that was that Google and other bots had archived Labour’s open site exten­sively. All their data is still in the cache and will be for quite some time.

Doing a sim­ple cache search of the root domain with the word “pass­word” added shows just how bad their secu­rity was.

The prob­lem how­ever was much worse than that. Way worse. Remem­ber that Chris Flatt the Labour Gen­eral Sec­re­tary sent out a let­ter and email to their donors assur­ing them that their credit card details were safe. He shouldn’t have been too hasty with that assurance.

In the MySQL data­base files there were also plain txt strings that con­tained other data­base pass­words along with the user name and pass­words of their credit card provider.

Oh dear.

This shows the appalling lack of secu­rity not only for the donor and mem­ber­ship details but also with regard to user­names and pass­words for other secure areas.

I never accessed those areas, to do so would have been ille­gal. But given that their sys­tems were open and exposed long enough that Google and 9 other bots were able to cache the entire direc­tory sys­tem there is a good chance that Rus­siam or Niger­ian scam­sters also were able to obtain access to the data­base and credit card pro­cess­ing passs­words that Labour left exposed. Chris Flatt can­not give any assur­ances that their donor details includ­ing credit cards were safe and secure.

Their credit card passwords have been sitting in Google for several months. Need more be said.

Comments (64)

Login to comment or vote