I recently became aware of a major online hotel broker that stores passwords as plaintext in their system. The management is aware of the technical risks and liabilities but has pushed off technical fixes for YEARS. Furthermore, the features of the website make it obvious that this could be q very valuable attack vector as the reset feature emails you your current plain text password.<p>So the question is: what is the ethical way to raise the issue and force their hand in a fix?<p>(Sorry for brevity and spelling; mobile on holiday)
How do you know it's actually plain text? There are plenty of 2-way encryption methods out there.<p>Do you work there? If so, are you willing to lose your job over it?<p>These sorts of leaks can have devastating effects on the company/customers. You should also think about the employees that work there as well. Are you willing to risk their jobs in the event that the company loses money?