I had a very disturbing experience with the web hosting company web.com last week which led me to finally pull the trigger on moving the domain I had hosted there to another provider. I had been contemplating the idea for a while due to costs, but was motivated by concerns over their security policies to finally get it done.
Prior to last week I had a single vanity domain hosted with web.com. I don’t do a lot with the domain but I’ve had it for more than 15 years and it has been a web.com for most of that time. I had reason to use the email on that domain last week in order to register for a product demo. I was frustrated to not be able to log into my email account, and even more frustrated when I couldn’t log into the management console on the website to check on the status. I got a cryptic error message that the service was suspended. I quickly confirmed that my account was paid up to date and there were no messages on the site about any issues. I had received no notification via email from them that there was a problem. I sent an email to their support department asking for help.
I received a brief message from support:
Your account may have been suspended due to abuse. You are limited to sending 1000/per hour-per domain. Up to 5000 per day. To began resolving any issue your are having with the email account in question, please try changing the password on that particular account.
I have a couple of issues with this response. First “May have been” is not a helpful answer. It implies that he really doesn’t have a clue and is just guessing. The second problem is that there is no way to reset your password on an email account if you can’t get into the management console. The email went on to suggest I talk to the abuse team. That is a little alarming in an of itself but I contacted them.
The abuse team representative was far more helpful, she apologized that they had disabled the management console instead of just prevented the mailbox from being used to send messages. The account had been compromised and was being used to send spam. I completely understood their reasons for suspending the sending of mail on an account that has been compromised and would have been happy with the response except for what followed. The representative first asked me for my password to confirm my identity. They call it a “secret word” but it is a password. You use it to log into your account. This is a violation of every security policy I’ve ever encountered. Then she proceeded to tell me what the password was that was compromised Not just that it had been but repeating the password. After I had changed the passwords she made further comments indicating that she could see the passwords I had just set. I couldn’t get off the phone fast enough.
It is entirely inappropriate for a customer service rep, even one involved in security to be able to view my passwords on their system. Even further inappropriate for her to admit that she can see them. I have no confidence in the security at web.com if any of their employees can review my passwords and log into my account. This might not even be possible, but the fact that the passwords are not encrypted in a way that prevents their staff from repeating them to me on the phone doesn’t give me any reason to trust their stewardship of my information.
I moved my domain to a new provider within a couple of hours and cancelled the service the next morning (which annoyingly you have to call during office hours to accomplish). I don’t play on using their services again and suggest they should take immediate steps to fix their security shortfalls and customer service failures.