Why is Daz exposing user email addresses?
barbult
Posts: 24,240
in The Commons
Today is the third time recently that I've seen user email addresses exposed by Daz. The first two were in forum postings. The third was in a private message. These were three different users - two were PAs and one was a normal user. In the fourm, the email address was shown where the username should have been, under the user's avatar. Obviously, I'm not going to post a screenshot here and make the exposure worse. This is worrisome. Our email addresses should not be exposed by Daz. Only our username should be visible to other users.
Comments
This happened to me. When you turn off the mature filter, your username becomes your email address. So you must be careful when doing that and ensure that they change it back to what it should be.
We talked with them about it again yesterday and they are looking into it.
That sounds like maybe a browser-prefill thing getting confused maybe? Either that or new code as I switched off the filter a while ago and my username seems to be intact.
Either way, it would probably be best for Daz to implement some validation on usernames to disallow ampersands.
Thank you for that explanation. Your's was not one that I had seen.
Day by day, Daz3D is losing our trust with things like this. Thanks for keeping after them. Exposing personal details like this is totally unacceptable.
In looking at this Daz found that AutoComplete can put the email into the username field automatically, presumably depending on what browser you use and perhaps on what you are doing on the page. If you change settings on your account page (changing the mature content filter, for example) then check the other fields are as you want them before accepting. It isn't an action on Daz' part, which is why it seems to affect only a few users.
We tend to catch them pretty quickly and notify the user that it needs to be changed. 80% of the time we usually know who the person is but we don't change people's info without their permission
Companies get fined big bucks for data breaches of customers' personal info.
I think you mean at sign (@), not ampersand (&). But, yes, that seems like a reasonable idea.
Thank you and other admins for helping.
@barbult, thanks for alerting us to this. This really shouldn't be happening to anyone, no matter which browser. For the DAZ team, I seem to be good, and I'm mostly on iPad, DuckDuckGo browser, if it's any help.
I had seen one user flipping back and forth over the past few days, wasn't sure what was up. I hope that person checks this thread out.
If it is AutoComplete or something like that then it isn't really anything Daz is doing. If it were daz I'd expect it to affect everyone who performed the required trigger actions - and i certainly didn't get my user name changed when I tried toggling the Mature filter as a test, nor have others (but I usually don't enable any auto-complete features, which backs up that diagnosis).
But who gets the money? Not those it affects, to my knowledge.
Maybe they get ad-free Facebook for a year...
But only if you're part of the class, I guess. They most likely do have the data for all the affected users, so they could compensate them all, it they wanted.
I've had enough now, currently replacing my 20+ year old email address. It's been leaked from 18 different companies and sources over time, so the spammer\scammers now have my full name and email, and god knows what else. Takes a lot of time and work to replace it with the new one on those hundreds of things I'm subscribed to.
Ooops! Yes, that's what I had in my head that obviously took a wrong turn by the time it got to my fingers when typing it out :(
I have a similar ongoing project of changing email addresses and passwords on many years worth of online accounts and websites, because of multiple leaks. I get about 30 spam and pfishing messages a day. It is rapidly on the rise lately. ATT is accused of a huge personal data leak, which they deny.
I get autocompletely wrong most of the websites and apps I use. I thought those input field were supposed to be tagged with data types in this modern age?
It happend to me too, and it is as mentioned by some, due to your own browsers autofill. It changes your username when you want to change something in your preferences. Best way for Daz to deal with it is to not allow autofill for that field (or just call it profilename instead of username, since many browsers often put email in username fields if it doesn't have any other info). That way your username will not be overwritten by your browser.
When I go in now though, it keeps my username as it is. My autofill has learned that Kersey, and not my email, is my username.
I second the idea of tightening ones security on the web. It is best to assume that your email address will/can be hackied or found out sooner or later, for whatever reason.
You can check if your email address has fallen into the wrong hands here: https://haveibeenpwned.com/
I was once told everybody should use different accounts for different purposes: disposable one-off email adresses as much as possible, if necessary an account (or different ones) for shopping at certain online stores, and then other addresses for friends. But even in the case of friends, if they click through on certain apps without reading the TOS, they might be allowing that company to rummage through their contacts, scoop up your info, and suddenly you get spammed from a place (using your first and last name) you have never had any contact with. Then that company gets hacked and suddened you get phishing emails. Fun fun. So, you must also protect yourself from the negligent behavior of friends and family. Welcome to the new normal.
It's going to take some reading up on all of this (if you are unfamiliar with all the potential vulnerabilities one is subjected to, and how to best guard against them) and an investment in time to make all the necessary changes, which should include carefully selecting which browser to use, what add-ons you do or don't install, etc., because browsers can also be subject to attacks that can leak info. Then, of course, life without a VPN (from a reliable company, so research that too) has become unthinkable, so you better have one of those too.
With regard to autocompletes and the like, I personally would NEVER leave a credit card sitting in the database of a company. That is just another unnecessary risk that is part of so-called conveniences that are anything but that when they fail, which they do all the time. GI would also get a disposable VISA debit card (or any kind that can be charged up, but has no credit line) to limit whatever damage can happen if somebody does get your numbers, even if you don't use autocomplete. Moreover, I personally never let browsers store site passwords. Those can also be hacked
The work that needs to be done to protect oneself will, as I said, require some research, time and determination.
With regard to DAZ, please implement protocols that proactively protect you and your customers so that whatever browser (or whatever) they use can't create problems. I am sure there are ways to do that.
It happened on mine, but purely by coincidence I actually was trying to change my DAZ email address in my profile and just thought I had messed something up (I didn't) but noticed fairly quickly and fixed it. Thanks Barbult for letting people know, even though I already had it sorted, I appreciate you "watching out for us".
Apparently you can't change your defult DAZ email yourself (or at least I couldn't get it to stick) so am assuming it requires a CS ticket.
Also, I use Firefox on DeskTop PC and Safari on iPad.