Back around 13 years ago I believe the default to have it enabled was changed. That said alot of sites carrier on leaking that way, ft.com was one - even after it was pointed out to them. Eventualy they changed things when I mentioned it to IBM rep who also dealt with FT's account, nice rep.<p>I can see how it can end up being enabled and left open, but it is also that level of administration that opens you up to other more concerning issues, this is a concerning issue for many reasons. If you had a firewall that blocked off by default not exprecitly allowed(with good wildcarding when needed on sub directory's) remote access to everything not the main public site then that would of caught it. If you had a access control , that again would of controled it.<p>Only way some companies will learn is to be hacked or being done under the laws for leaking private data. So if you go onto a sight like that, tell there admin they are in breach of the applicable data protection/privacy laws you have that can cover such things. Then if they don't fix it, cash in on there stupidity and sue them, you get paid for your time and they pay for there crime and learn the only way some do learn. Don't hack them, no need, just use the law. Or get a patent on bad administration and use that to claim back royalties. Crazy approach, but if you have the money to cater for such whims, let us all know how it pans out, profitable and educational for the patent system. Who would contest and claim prior art on stupidity of administrating computers, you would get your money worth in laughs if nothing else.<p>Short version, this is a old issue and you are also breaking data protection/privacy laws - be warned. If you see it, warn them and feel free to educate them via the legal cashmachine.