Wow, a comment on that article describes a case that's far worse :S Involves SSN/SIN and fixed-number PINs in the clear.<p>" Would you consider doing a story on <a href="https://borrower.ecsi.net/" rel="nofollow">https://borrower.ecsi.net/</a> ?<p>Same thing, your password is an unchangeable 5-digit PIN that they email to you in plain-text. But your username is your SSN. And you can't get rid of your account until you pay off your student loans.<p>Fortunately they're not vulnerable to SQL injection, as far as I could tell. I really wanted to email them their entire list of SSNs / passwords. "<p>N-digit pins on online sign-ins for universities are similarly awful and super common. To boot, they often have username = firstname.lastname@university.edu, so brute-forcing a target's password can be done on a laptop in short order.