ALERT – StrawberryNet.Com is revealing the name, addresses and phone numbers associated with a purchaser’s email address without authentication
If you, your family or friends have used that website, please warn them.
Here is what happens:
Go to the website and put anything into the shopping cart.
Click “checkout”.
Enter an email address when prompted.
If the email address is already in their database the name, address and phone number associated with that email address is immediately displayed with no further authentication required.
Imagine if the bad guys found out and fed in email addresses gathered from data breaches, spam lists etc – it’s a treasure trove of personal information of Strawberry.Net customers.
The issue has been around since at least 2006, was highlighted by Troy Hunt, MVP in August 2016, and again recently. StrawBerryNet.Com are, and have been, aware of the issue. Previously their attitude has been:
“Please be advised that in surveys we have completed, a huge majority of customers like our system with no password. Using your e-mail address as your password is sufficient security, and in addition we never keep your payment details on our website or in our computers.“
Now, however, they say via a pinned tweet that is less than 24 hours old at at time of writing:
“Thank you for your feedback. We understand your concerns, we’ll launch a new checkout flow to improve the user experience in coming 2 wks.“
Be warned, however, that they also promised to change their login system “soon” back in August 2016…
In the meantime, I STRONGLY recommend that you use StrawberryNet.Com’s Contact page or email info@strawberrynet.com to request the immediate deletion or hiding of your personal information. Frankly, the information should be hidden by default and it is unconscionable that they have allowed this situation to remain for so many years.