The Lounge is rated Safe For Work. If you're about to post something inappropriate for a shared office environment, then don't post it. No ads, no abuse, and no programming questions. Trolling, (political, climate, religious or whatever) will result in your account being removed.
Starting last August, a large retail store chain (name withheld to protect the innocent) had been sending me a pay statement (as a password-protected PDF file) as an email attachment to one of my many addresses. I suspect some lady is an employee, and she doesn't have an email address of her own, so she might have provided her husband's to her employer (pure speculation from my part). Only, she didn't quite get the address right, and I've been getting those statements. That particular email address starts with my actual name, so it's absolutely conceivable she's married to someone who shares my name (he's got a much more public profile on the internet than I do--if it is who I think it might be).
I got these emails every 2 weeks for months, and all my "I'm not the intended recipient" messages back went unanswered, until I went out of my way last month to find a contact on the store chain's web site. The emails have stopped. The nice lady was very apologetic and explained to me they have no way to verify that an email address provided by an employee is correct. Personally I didn't mind the error; I don't care and it's easy enough for me to ignore any such email or set up a rule to automatically trash it based on sender.
Lo and behold, I'm thinking my email is also part of a separate list they also maintain, because I just got another email from the same company--sent to a "training@[companyname.com]" alias. This email is telling me that, as part of some upcoming training session, they're going to soon email me my user name and a link, and a follow-up email containing my temporary password.
Since I only ever got a single contact from that company, I dug up her email again and explained that someone in their IT department is planning to send login credentials to an unverified account, and how bad an idea that is.
I'm not a security expert and I don't necessarily know what the best practices are, but if you're going to email login credentials to employees (at a massive scale), shouldn't those emails all stay within your own [companyname.com] domain, and not personal, random Hotmail, Outlook, Gmail, Yahoo etc addresses that employees have provided to you?
When I was in high school, I pointed out a computer system flaw to trusted teachers and school administration (I knew the principal and was on good terms with him, being a good student and all), and they actually turned on me and got me in a bit of trouble, which left a very bad taste in my mouth. I'm hoping [big faceless corporation] isn't going to take this the wrong way and sic its lawyers on me. Maybe I should just STFU. I'm just trying to do the right thing.
I don't think you could be charged for pointing out an error. On the contrary, the more prooves you'll have that you informed them of their mistake, the better. You could even send them a recorded delivery letter, just to be sure they get the message. And it could serve as a proof if they would try to sue you.
"Five fruits and vegetables a day? What a joke!
Personally, after the third watermelon, I'm full."
Should I start worrying yet about being able to live to tell the tale?
(and in the unlikely event you're taking me seriously: Never take me seriously.)
Had a girlfriend once who--if I didn't know any better--I could swear was bi-polar. What a roller-coaster ride. The highs were high, but the lows were just too low for me. I'm cautious to a fault these days.
Doesn't sound like you did anything that would cause them to sic lawyers on you, unfortunately these days you never know. The old adage 'no good deed goes unpunished' comes to mind.
"the debugger doesn't tell me anything because this code compiles just fine" - random QA comment
"Facebook is where you tell lies to your friends. Twitter is where you tell the truth to strangers." - chriselst
"I don't drink any more... then again, I don't drink any less." - Mike Mullikins uncle
Yea, as others have mentioned, I stopped doing this as well. Pointed out a security flaw during a job interview once as I figured it would reflect well on my ability to do the job I was interviewing for. They did not appreciate it (or fix it last I checked).
To be sure, I went out of my way (I think) to mention I'm some random guy they are sending data to; that's not me poking around and trying to find flaws and making threats.
I didn't mention also that it would be trivial to go very public about it, and that in these days of very public security breaches, it would be easy for me to try to embarrass them. None of that noise. I've kept it very low-key with this one contact. And I'm not going to try to go over her head if nothing's done or she doesn't respond.
I would take a different approach than the others (and you) who have had their hands slapped for this kind of thing. I would go public in as big a way as you possibly can. Advertise it far and wide. Those feeble minded-idiots can't accept these things gracefully so do not give them the option of coming back at you. Publicize it and make sure everyone knows what fools they are and I see no reason what so ever to withhold their names.
Also - word is failure. Fail is not a noun. It is a verb.
"They have a consciousness, they have a life, they have a soul! Damn you! Let the rabbits wear glasses! Save our brothers! Can I get an amen?"
"Epic fail" is a meme. I wasn't going for correct grammar.
About going public: I had thought about it, make a big splash, get it all over Twitter and Facebook and whatever other social media platforms they might have a presence on (people nowadays seem to do it all the time to "get things done" in a very public fashion)...but then I have no account on any of these platforms and would rather maintain my low internet profile. I wouldn't want Google to start caching this sort of story and have my name associated with it for time eternal.
No. The pay statement emails all originated from the correct domain, every two weeks, there's nothing in it that tries to "trick me" into opening it (as I said the PDF itself is password-protected) and the lady I had managed to contact pretty much confirmed what was going on.
At this point I've just informed them of the original problem (which they've fixed) but this is another matter--but both stem for the same reason...the bottom line is that one of their employees gave them an incorrectly-spelled email address, which happens to be Random Guy's address (me).
This contact has been responsive before, so I don't feel the need to go over her head. If they choose to ignore it this time around, I don't feel particularly compelled to do anything about it.