A few years ago, I signed up for a Borders rewards card. Gave them an email address of borders@mydomain.com. Weeks later, began getting tons of spam to that address.
So uh, I'm guessing that this Borders employee isn't the only one who knows about this.
Reminder: If a link you want to submit has an uninformative, sensationalist, or otherwise shitty title, you should fix it. This is precedented, popularly encouraged, and in some cases required.
I'm not sure I'd give them the benefit of the doubt that it was security through obscurity. Maybe it was an incredible error where editing resources didn't have any type of authorization and no authentication based on the article.
Back in 2000 I worked on a website that had a secret page where you could enter any SQL statement in a textarea and it would be executed and the results returned to the page. This was claimed to be necessary for "debugging" and "support" but the only protection was that the URL was not linked anywhere else on the site.
I would not be so sure it's NOT security through obscurity. Whether it is or not, the Borders case is just another example of why it's no longer prudent to trust ANY online service with your personal data (though most of us would probably not think that signing up for a Borders Rewards card would create an online profile).
my favorite was /pepe (grandfather in french) for phpMyAdmin. I remember a few places where /pepe stayed alive for many years after I'd left. Sure, there was a password ... but what good is a password if no one is arround to apply security patches.
It's not security through security because I've discovered their SOAP end points that powered this front end, and from that discovered a ton of other Brierley clients that are vulnerable to similar issues.
Now trying to work out how to make the disclosure to Brierley.
Back in 2000, I worked on the ecommerce site of a major consumer electronics manufacturer. One of the "features" that was implemented was for people that had an account, but hadn't logged in and had decided to proceed through the normal checkout process. When you entered your email address, it did a lookup at the accounts database and if that email address already existed, it logged you in as that user. Credit Card numbers weren't viewable, but were stored on the account.
Nobody understood why this was a bad idea until I ordered a digital camera to the head of internet marketing using his own account.
So worst case scenario, someone could have hacked my profile and "upgraded" my account since I just have the basic account. Oh and they could have harvested the spamgourmet email address that has boarders.com as the exclusive sender.
I haven't had one that long--I got it because a co-worker was impatient at my not having one. But I haven't particularly noticed quantities of spam that followed it to my Gmail account, other than from Borders of course.
I'm sure plenty of small companies are shitty too but no one notices or cares as much. If a tiny website has a security breach, who's going to write about it? who would care enough to post it? How many up votes would it get?
We just hear about the large breaches because it affects more people.
Erm.. And for people that have no clue what this is about (even after checking the link) and - like me - miss the capitalization and expect something related to .. borders:
Talking about plain old (boring?) payback card of ~some~ a book store/reseller, it seems. I guess. [1]
So uh, I'm guessing that this Borders employee isn't the only one who knows about this.