Security warning for Kayako customers

[cogorno]

This is a warning to Kayako customers about the security of your member account.

Do *not* use a password that you've used anywhere else. The passwords are not secure.

The kayako staff gave out my password to another employee while I was on vacation! Make sure you don't use a password that is used anywhere else.

PS: Kayako people, you need to get your act together. This is the most *unprofessional* company I've ever delt with.

[Digital Mayhem]

1) Kayako uses the latest Secure Socket Layer (SSL) protection technology to protect the members account area and Payment Gateway.

2) Kayako never gives out any passwords or account information to any third party..

[Giray]

Quote:

Originally Posted by cogorno

The kayako staff gave out my password to another employee while I was on vacation! Make sure you don't use a password that is used anywhere else.

No such thing as 'another' employee. If it's an employee, it's an employee, de facto and basta.
Question: do you have reason to believe that your password and user id were used maliciously? If so, I believe we would all like to know. You've dropped an accusation on a public board. You either substantiate it or we assume you're blindly attacking the company.

[User Name]

Wait, let's get this straight. What does "another employee" mean? Are you saying that Kayako staff gave your password to another member of the Kayako staff, or are you saying that Kayako staff gave your password to another member of your company that was not yourself?

The former would be ridiculous to complain about; the latter would be a matter of concern.

[darkhorse]

From what he said it looks like Kayako staff gave out cogorono's password to one of his other employess (not withing Kayako itself)
While this is a concern, it is possible for this to happen in any organization. I can call my brother's cellular provider and if i supply his address and a some other identification information, they will tell me anything i want, heck, i could even order things on his bill if i was so inclined to do so.

The point i am trying to make is this: No matter what you do it is allways possible that someone else could pose as you and be given your passwords. Therefore follow the standard security guidelines. Dont use passwords between different providers. As much of a hassle as it is, this is the only way you can really ensure security with passwords for different services.

[cogorno]

Quote:

Originally Posted by XeSolutions

2) Kayako never gives out any passwords or account information to any third party..

That's just not true.

I have an email that was sent *from Kayako* to my coworker with my account details in it.

Kayako does *not* take customer account information seriously.

-Steve

[cogorno]

Quote:

Originally Posted by User Name

Wait, let's get this straight. What does "another employee" mean? Are you saying that Kayako staff gave your password to another member of the Kayako staff, or are you saying that Kayako staff gave your password to another member of your company that was not yourself?

The former would be ridiculous to complain about; the latter would be a matter of concern.

Kayako gave my password to another Sun Microsystems employee so that he could log into my account.

The problem is that I used the same password on the Kayako site as some other passwords at Sun, which I had to change as soon as I found out that my password was compromised. If he were the malicious sort, he could have changed my payroll details or read my email.

Hence, my warning not to use the same password on kayako.com sites as any other password that is important to you. Yes, I know that you should use different passwords for every site as a matter of general security. But it isn't really practical to rememebr hundreds of passwords.

-Steve

[cogorno]

Quote:

Originally Posted by darkhorse

The point i am trying to make is this: No matter what you do it is allways possible that someone else could pose as you and be given your passwords. Therefore follow the standard security guidelines. Dont use passwords between different providers. As much of a hassle as it is, this is the only way you can really ensure security with passwords for different services.

Yes, you're right that someone could pose as me, but in this case, he clearly said who he was and they sent him the password and said "oh, just log into his account."

First of all, I'm shocked that the passwords are even *visible* to Kayako staff. Passwords should always be encoded in a one way hash.

And yes, I agree with you that passwords shouldn't be duplicated between sites. You don't know what people are doing with those passwords. But with so many accounts every, it's just not that practical to have different passwords everywhere.

But surely I will not use the same password on Kayako sites that I've used anywhere else.

[User Name]

Quote:

Originally Posted by cogorno

Kayako gave my password to another Sun Microsystems employee so that he could log into my account.
-Steve

That is a serious problem. You deserve an apology from Kayako, I believe. Regardless of how the customer handles his or her own passwords, the seller should take the utmost care when handling them.