Flixster Wants Your Passwords

Anne Mitchell pointed me toward a post on her Internet Patrol blog about how Flixster’s “invite a friend” functionality either asks you for or allows you to give Flixster your AOL, Hotmail, Yahoo and Gmail passwords.

Then Flixster logs in to your email account, finds your address book, and sends out invites to your friends in your name from your own email account.

Flixster founder Joe G (Joe Greenstein?) posted a comment in response to Anne, confirming that this was indeed the case. He goes on to state that users are “then ALWAYS given the list of contacts and asked to select whom to invite.”

Well, that’s good. But still, yikes.

Are there still people out there ignorant enough to give out their email passwords to strangers? Joe may be trustworthy, but Joe’s still a stranger, and so is Flixster.

In my opinion, there should never be a reason to give an account password to some site other than that site itself. If that other site ever gets hacked, or if their data security is lax enough to allow employees to steal data, it’ll end up being a privacy (and spam) disaster.

This reminds me of something. Recently, SpamHuntress talked about how Myspace accounts get hacked, and it sounds similar to this. Give us your username and password so we can do something cool with your account….and then we’ll do a bunch of other bad stuff too, without your knowledge.

I am not suggesting that Flixster are a bunch of privacy thieves. I am not implying that they’re going to do something bad with your email accounts. I am, instead, suggesting that you shouldn’t give your passwords out, to prevent something like that from ever happening to you, regardless of how trustworthy the site/service actually is or claims to be.

Do you know how much it would suck if somebody hacked into your AOL or Gmail account and were able to send emails as you? It could be used to send spam to your friends and others, matched up with your saved emails to find your passwords to financial or other accounts, be used as part of a phishing scam to get bank info from other unsuspecting people.

No comments:

Post a Comment

Comments policy: Al is always right. Kidding, mostly. Be polite, and you're welcome to join in, even if it's a differing viewpoint.