A few weeks ago, when I was going through all my online accounts and making the passwords more secure and unique I logged in to Match.com and deactivated my account. I didn’t delete it, just made it dormant. I did this because I found my Fiancée over 3 years ago (via Match.com) so there was no reason to still have an active account. I didn’t want to delete the account because it had some of our earliest messages to each other saved.
Anyway, I checked my emails today and noticed that I had one from them encouraging me to re-activate my account. What was more concerning was that the email contained my password in plain text! Here is a screenshot of the email:
I was about to submit them to plaintextoffenders.com but I did a search before and found that they were already added to the list 15 months ago, so I left a comment on the plaintextoffenders listing and decided to send a message to Match.com. The message was:
On the 20th of December 2012 I received an email encouraging me to reactivate my account. What concerns me is that in the body of the email was my password, in plain text! Firstly you should not be storing my password in plain text, and secondly (if you insist on storing passwords as plain text) you should not be sending it to me over something as insecure as email, especially if I didn’t request it!
I was about to submit match.com to http://plaintextoffenders.com, but when I searched, I saw that it was already submitted some 15 months ago. See http://plaintextoffenders.com/post/9744438766/match-com-dating-site-very-soon-after-i-got-this.
For a brief overview of why storing passwords in plain text is bad, you can start reading here: http://plaintextoffenders.com/about/
Please bear in mind that while you are now being shamed by plaintextoffenders.com, if you decide to fix the security flaw, your site would be moved to a different section of the site where you would be praised for admitting the fault and fixing it. See http://plaintextoffenders.com/reformed
I am in no way affiliated with plaintextoffenders.com, but I do support what they are trying to do and I would like to know if you are in the process of fixing, or plan to fix this security flaw in the near future?
Please reply to <email address removed>
I will update this post if/when I get a reply, but in the meantime I would recommend against joining Match.com and deleting any accounts you might have with them until they act a bit more responsibly.
Update: I got this email back from Match.com:
Thank you for contacting us at match.com.
We understand that you received an email from us on the 20th December 2012 with your password in plain text which you feel is a serious compromise of security.
We are really sorry about this error and I have forwarded your issue to our site developers to look into.
We hope you have found this information useful and please feel free to get in touch if there is anything further we can help you with. For answers to the most common questions click ‘Help’, available from the foot of any page.
At least they are not dismissing it. I wonder if anything will actually change?
I just asked to reset my password today and they instead emailed me my password. No, nothing changes after what appears 6 months since your post/experience
This has not been fixed and I don’t see the issue being resolved anytime soon, I’ve also updated the post at http://plaintextoffenders.com
This problem is still not fixed. If they can’t protect your password, I guarantee they cannot protect your privacy from other members.
Well I’ve just requested a password reset today and yes: Plaintext. Nothing appears to have changed 17 months after your initial report.
It is even worse, much worse, than you have thought…
Match.com does not ‘verify’ your email before they use it and store it in your account.
We (as owners of the domain ‘matchmake.com’) have been receiving email from their servers with private log-on information (and much more) because people (for some reason) have been entering their email addresses using our domain by mistake. Match.com happily accepts it even though they have NO access to it and never verified it and blindly gives anyone with access to the mistyped email address FULL access to their Match.com account.
At first we thought it was just some fake robot accounts being set-up with random email addresses – but it is not. These accounts have fully registered credit cards in their profiles and are fully active subscriptions.
Pretty lame Match.com, pretty lame.
We are debating what we should do about it and the 707 emails we have received from them in just the last 5 months…
I think maybe it’s time to escalate. Perhaps @SamYagan (CEO of Match.com) might be worth contacting…
Update:Tweeted him: https://twitter.com/Grezzo82/statuses/493796324048117760
Yikes this is pretty bad. It’s almost 2 years later and they’re still doing it! I clicked forgot password and bam, plaintext password sent to me in my email.
They don’t even verify emails! This is just ridiculous
I just signed-up for match.com and guess that was included in an email from them: My password, in plaintext!