Passwords Stored as Plan Text?

Jan 22, 2022

What is this? Seriously? In todays world of hacks, breaches, and identity theft? Yes, and we hate that we found it with a service we like to order from. We did report it to them after they admitted it but… it seems they haven’t taken it seriously.

Let’s back up a bit and start from the beginning shall we? This past year, we ordered some ham, and DAMN good ham I might add, from New Braunfels Smokehouse. I’m going to reiterate something and that this is damn good food. Smoked perfect and shipped to the US with 2 day shipping.

We did one order and created an account. A few days later we tried to log in. System said the account could not be found! The same account we created a few days before! So naturally, we sent off an email to their support team to figure it out.

Initial Email Out

In the mean time, we went through the process again, “created” another account with the same credentials as before, and got an order placed that somehow also had all of our details already in the system. Shortly after that, we got a reply back from their support team.

First Reply

Yup. They said they could see the password as it was and couldn’t believe we could remember it (Note: At this time it is 20 characters long). For reference, we use 1Password and highly recommend them so we really don’t know any of our passwords. But because of that, we also know our passwords are entered in correctly each and every time. This isn’t an ID-10T error on our end.

Confirmation Of Plain Text

We did some more research and found a few other things.

Password length is capped at 16 characters but NOT reliably enforced on the front end
When going through account creation, if the account exists, it will auto log you in vs reporting it exists.

We responsibly reported this to them on October 26, 2021 and informed them they need to get their developers to fix these issues ASAP as they are putting their customers at risk when they get hacked. Anyone who deals with security knows that it is never an IF you get hacked but a WHEN it happens so best to prepare and make it as difficult as possible for hackers to get to any PII. Also informed them that we would publicly disclose this after 90 days per industry standard practices.

As much as we do love their products, we can not recommend anyone purchase from them for the time being until it has been confirmed they are protecting users privacy.

If we ever get word they have fixed their backend, we’ll recommend them to all and start ordering from them again. If they don’t fix it, well, it was good while it lasted.