Last month, millions of passwords were compromised on LinkedIn, Last.fm and Yahoo.JetBlue could be next, because it seems to be incredibly reckless with users’ passwords.
Users have found the airline stores their passwords as plain, unprotected text. Worse, it emails the plain text passwords back to users, and emails can be easily compromised.
“Um, @JetBlue emailed me login info to something called their “TravelBank” to manage unused credit. It included my password in cleartext,” venture capitalist David Pakman tweeted yesterday.
The issue Pakman reported isn’t new either. Last August, another JetBlue user, Vijay Pandurangan, wrote about a similar incident.
Pandurangan says JetBlue sent him an automated email reply when he refunded a plane ticket. The email was from TravelBank and it contained both his plaintext password and account number.
“The fact that they have not even followed basic security procedures is really scary,’ he writes. “Since many people use the same password all over the place, this is especially dangerous — having a very complex password may prevent hackers from figuring out your password from a hash, but is useless if they’re stored as plain text.”
Passwords should never be stored as plaintext, he explains. They should be stored as something much more secure. Because if someone hacks into a database, every user’s password can be compromised. It also means that any employee with access to the database can look up anyone’s password.
Pandurangan pledged to never use JetBlue again until the problem is fixed. But per Pakman’s complaint, JetBlue hasn’t made any moves to store passwords more securely.
Panduraangan provided the text of the email he received from TravelBank/JetBlue. Pakman says it’s similar to the one he received:
Photo: Vijya Pandurangan’s Blog
JetBlue provided us with this statement:
We are working to resolve this issue, which is limited to the following circumstance:
We create a travel bank account to provide our customers with a service credit, which can be used towards the air portion of a JetBlue flight or Getaway package. JetBlue proactively deposits these vouchers into a “travel bank” for customers, and notifies them via email, based on the email we have on file with their travel record.