

I Hope You Don’t Have a Borders Rewards Card - mikecane
http://www.mediabistro.com/ebooknewser/i-hope-you-dont-have-a-borders-rewards-card_b9719

======
bdb
A few years ago, I signed up for a Borders rewards card. Gave them an email
address of borders@mydomain.com. Weeks later, began getting tons of spam to
that address.

So uh, I'm guessing that this Borders employee isn't the only one who knows
about this.

------
goodside
Reminder: If a link you want to submit has an uninformative, sensationalist,
or otherwise shitty title, you should fix it. This is precedented, popularly
encouraged, and in some cases required.

------
bdclimber14
I'm not sure I'd give them the benefit of the doubt that it was security
through obscurity. Maybe it was an incredible error where editing resources
didn't have any type of authorization and no authentication based on the
article.

~~~
ams6110
Back in 2000 I worked on a website that had a secret page where you could
enter any SQL statement in a textarea and it would be executed and the results
returned to the page. This was claimed to be necessary for "debugging" and
"support" but the only protection was that the URL was not linked anywhere
else on the site.

I would not be so sure it's NOT security through obscurity. Whether it is or
not, the Borders case is just another example of why it's no longer prudent to
trust ANY online service with your personal data (though most of us would
probably not think that signing up for a Borders Rewards card would create an
online profile).

~~~
pavel_lishin
Was it something like /admin/query.php ?

~~~
s00pcan
I used to use /admin2/ I don't think anyone ever found out, but the website
was a hideous mess of a first attempt at using PHP/MySQL.

~~~
c1sc0
my favorite was /pepe (grandfather in french) for phpMyAdmin. I remember a few
places where /pepe stayed alive for many years after I'd left. Sure, there was
a password ... but what good is a password if no one is arround to apply
security patches.

------
camiller
So worst case scenario, someone could have hacked my profile and "upgraded" my
account since I just have the basic account. Oh and they could have harvested
the spamgourmet email address that has boarders.com as the exclusive sender.

------
cafard
I haven't had one that long--I got it because a co-worker was impatient at my
not having one. But I haven't particularly noticed quantities of spam that
followed it to my Gmail account, other than from Borders of course.

------
vipivip
Big companies are so horrible at protecting personal data.

~~~
MichaelApproved
I'm sure plenty of small companies are shitty too but no one notices or cares
as much. If a tiny website has a security breach, who's going to write about
it? who would care enough to post it? How many up votes would it get?

We just hear about the large breaches because it affects more people.

------
RyanKearney
Google cache still has it

[http://webcache.googleusercontent.com/search?sourceid=chrome...](http://webcache.googleusercontent.com/search?sourceid=chrome&ie=UTF-8&q=cache%3Abordersacctweb.brierley.com%2Fwaldenpos.aspx)

In case that goes down, here's a screenshot: <http://i.imgur.com/H5U8Z.png>

------
rkon
I guess when you know you're going out of business you get a little lazy with
customer data...

------
darklajid
Erm.. And for people that have no clue what this is about (even after checking
the link) and - like me - miss the capitalization and expect something related
to .. borders:

Talking about plain old (boring?) payback card of ~some~ a book
store/reseller, it seems. I guess. [1]

1: <http://www.borders.com/online/store/FaqView_faq1>

