Labour’s passwords

Labour’s security issues go beyond the fact they left their entire server contents available for anyone to see if they went to one of their campaign websites. Their passwords are now in Google.

Whale blogs:

Com­menters at Kiwiblog and other sites quickly realised what I did long ago and that was that Google and other bots had archived Labour’s open site exten­sively. All their data is still in the cache and will be for quite some time.

Doing a sim­ple cache search of the root domain with the word “pass­word” added shows just how bad their secu­rity was.

The prob­lem how­ever was much worse than that. Way worse. Remem­ber that Chris Flatt the Labour Gen­eral Sec­re­tary sent out a let­ter and email to their donors assur­ing them that their credit card details were safe. He shouldn’t have been too hasty with that assurance.

In the MySQL data­base files there were also plain txt strings that con­tained other data­base pass­words along with the user name and pass­words of their credit card provider.

Oh dear.

This shows the appalling lack of secu­rity not only for the donor and mem­ber­ship details but also with regard to user­names and pass­words for other secure areas.

I never accessed those areas, to do so would have been ille­gal. But given that their sys­tems were open and exposed long enough that Google and 9 other bots were able to cache the entire direc­tory sys­tem there is a good chance that Rus­siam or Niger­ian scam­sters also were able to obtain access to the data­base and credit card pro­cess­ing passs­words that Labour left exposed. Chris Flatt can­not give any assur­ances that their donor details includ­ing credit cards were safe and secure.

Their credit card passwords have been sitting in Google for several months. Need more be said.

Comments (64)

Login to comment or vote

Add a Comment