Page 1 of 2 12 LastLast
Results 1 to 20 of 23
  1. #1
    Mattbar's Avatar
    Mattbar is offline Private Member
    Join Date
    July 2015
    Location
    London
    Posts
    670
    Thanks
    39
    Thanked 496 Times in 289 Posts

    Default Can Affiliate Account Mangers Access Passwords?

    I got an email from an affiliate account manger today asking me to update some materials on one of my sites. The email they sent me contained both my username and password for logging in to my account. This is a fairly big, what I thought was reputable, affiliate programme. Putting aside the fact that my AM was monumentally stupid to send my username and password in the same email it concerns me even more that the passwords are not encrypted on their end Ė they should not be able to see my password under any circumstances.

    I go to great efforts to secure my accounts with very strong passwords that contain further rules. What is point when anyone at their end can access those passwords and potentially sell them on or corrupt the account. When I pointed out how out of line this was to my AM the response I got was "I didnít think you would remember your details with the complicated username and password. Feel free to change both if you wish.".

    Has this happened to anyone else? I am totally astonished by the lack of security.

    I would welcome some feedback from some AM's too on this, how common is this, can you all see our passwords?

  2. The Following 2 Users Say Thank You to Mattbar For This Useful Post:

    -Shay- (1 November 2016), Vrindavan (4 November 2016)

  3. #2
    PromoteCasino is offline Private Member
    Join Date
    June 2013
    Location
    London
    Posts
    1,074
    Thanks
    991
    Thanked 482 Times in 322 Posts

    Default

    I would of thought Am's would of had some kind of admin password to gain access to your account. Sort of like a skeleton key.
    If this is true that they know your password it is very disturbing
    Betting Offers in the UK - Latest offers and bonuses from reputable UK bookmakers. A New project underway but a long way to go Bookie Rewards

  4. The Following 2 Users Say Thank You to PromoteCasino For This Useful Post:

    -Shay- (1 November 2016), Vrindavan (4 November 2016)

  5. #3
    Mattbar's Avatar
    Mattbar is offline Private Member
    Join Date
    July 2015
    Location
    London
    Posts
    670
    Thanks
    39
    Thanked 496 Times in 289 Posts

    Default

    Quote Originally Posted by PromoteCasino View Post
    I would of thought Am's would of had some kind of admin password to gain access to your account. Sort of like a skeleton key.
    If this is true that they know your password it is very disturbing
    Why should they need to get into our account directly, they can see all the stats associated with a username anyway? You don't need direct access to an account to generate materials or links or look into any account details or tracking issues. What if that AM sold on a load of account details to someone who then goes in and changes payment details or potentially deletes the account, this is seriously concerning for me.

  6. The Following User Says Thank You to Mattbar For This Useful Post:

    -Shay- (1 November 2016)

  7. #4
    baldidiot is offline Private Member
    Join Date
    January 2010
    Posts
    4,114
    Thanks
    400
    Thanked 1,864 Times in 1,218 Posts

    Default

    That would imply the passwords aren't encrypted, which is bloody worrying. Who is it? Or can you mention the aff software at least (ie: if it's IA it's a major problem, if it's proprietary it's a program that needs a slap).
    onlinegamblingwebsites.com - Formally known as goodbonusguide.
    baldidiot.net - Baldys affiliate blog. Will get updated one day. Maybe.

  8. The Following User Says Thank You to baldidiot For This Useful Post:

    -Shay- (1 November 2016)

  9. #5
    DaftDog's Avatar
    DaftDog is offline Private Member
    Join Date
    October 2008
    Posts
    1,788
    Thanks
    467
    Thanked 597 Times in 340 Posts

    Default

    This has happened to me several times as well. I can't remember exactly who it was but my immediate reaction was one of shock too. I also know that there are casinos that I have signed up with that will email me my login details and password with their promotions, just in case I forgot what they were.

    I will check when I'm back in the office tomorrow for some names.
    What's another word for Thesaurus?

  10. The Following User Says Thank You to DaftDog For This Useful Post:

    -Shay- (1 November 2016)

  11. #6
    Mattbar's Avatar
    Mattbar is offline Private Member
    Join Date
    July 2015
    Location
    London
    Posts
    670
    Thanks
    39
    Thanked 496 Times in 289 Posts

    Default

    Quote Originally Posted by baldidiot View Post
    That would imply the passwords aren't encrypted, which is bloody worrying. Who is it? Or can you mention the aff software at least (ie: if it's IA it's a major problem, if it's proprietary it's a program that needs a slap).
    It's Bingocams, they run their own software I think.

  12. The Following User Says Thank You to Mattbar For This Useful Post:

    -Shay- (1 November 2016)

  13. #7
    Sherlock's Avatar
    Sherlock is offline Public Member
    Join Date
    December 2013
    Location
    WC
    Posts
    3,458
    Thanks
    1,097
    Thanked 2,806 Times in 1,540 Posts

    Default

    It is common with US bookies. Notably 5dimes always ask for the password via emails or chats (random clerks) from both affiliates and bookies. The password is not only unencrypted, but visibly shown at affiliate profile page. I also discovered that it is not case sensitive. Not sure how they survived 15 years or so, but apparently they did. With bitcoin payments it is a time bomb.
    We are all bloodsucking ticks, hungry, devious
    each one latched on to the ass of the previous
    when the last and the first latch on it can be shown
    ass-blood sucked by the first from the last is his own

  14. The Following 2 Users Say Thank You to Sherlock For This Useful Post:

    -Shay- (1 November 2016), FictionNet (2 November 2016)

  15. #8
    LukeC is offline Non-sponsor Affiliate Program
    Join Date
    October 2012
    Location
    Birmingham, UK
    Posts
    495
    Thanks
    48
    Thanked 122 Times in 49 Posts

    Default

    With Income Access, MyAffiliates and HasOffers, the passwords are encrypted and cannot be seen by affiliate managers. They can be reset though. Whether the AM is able to do that manually, or has to send out a reset email to the affiliate varies by software (but as the AM can change the account email, it's irrelevant if they wanted to do something nefarious). If you are an admin, you can hit "login as affiliate" and it will log you in as the affiliate. I have not logged into a Netrefer backend recently (or Mexos), so wouldn't want to comment on them.

    Going into the account directly is what most affiliate managers will do to pull links for you (pretty much every competent affiliate manager I know does this, as it prevents any chance of a manual error with pulling the wrong link for the wrong affiliate) and also to be able to see exactly what the affiliate is seeing when there are reporting queries.
    Head of Affiliates at Digital Fuel

  16. The Following 6 Users Say Thank You to LukeC For This Useful Post:

    -Shay- (1 November 2016), FictionNet (2 November 2016), HodgeyBoy (3 November 2016), Mattbar (1 November 2016), Renee (31 October 2016), TheGooner (31 October 2016)

  17. #9
    Triple7 is offline Private Member
    Join Date
    January 2015
    Posts
    2,689
    Thanks
    2,000
    Thanked 2,379 Times in 1,275 Posts

    Default

    They shouldn't. A password should be stored encrypted. Encrypted it's not readable for AM's. If it's readable for them, your password is not stored encrypted. That's a flagrant violation of privacy .

  18. #10
    sweetbet's Avatar
    sweetbet is offline Private Member
    Join Date
    November 2012
    Posts
    2,819
    Blog Entries
    5
    Thanks
    899
    Thanked 1,581 Times in 1,088 Posts

    Default

    I guess it depends on the affiliate platform being used, but I didn't know that some programs allow AMs to see the affiliates' passwords. This is all news to me.
    Sweet Bet - Reviews of reputable online casinos, poker sites, sportsbooks & bingo halls
    USA Online Casinos | Canadian Online Casinos | Bitcoin Casinos | Live Dealer Casinos | Free Spin Casinos | US Online Casinos

  19. #11
    Miles_FTA's Avatar
    Miles_FTA is offline No longer with Fast Track
    Join Date
    May 2010
    Posts
    1,490
    Thanks
    121
    Thanked 540 Times in 405 Posts

    Default

    NO ..

    We should not have access to affiliates passwords and they are encrypted but we do have the ability to log into an affiliate account from our affiliate interface as the affiliate.

    We need this functionality in order to assist affiliates in pulling trackers, setting up campaigns getting them banners etc .. it also allows us to see what the affiliate is seeing by looking at their reports .

  20. The Following User Says Thank You to Miles_FTA For This Useful Post:

    -Shay- (1 November 2016)

  21. #12
    Mattbar's Avatar
    Mattbar is offline Private Member
    Join Date
    July 2015
    Location
    London
    Posts
    670
    Thanks
    39
    Thanked 496 Times in 289 Posts

    Default

    Quote Originally Posted by LukeC View Post
    With Income Access, MyAffiliates and HasOffers, the passwords are encrypted and cannot be seen by affiliate managers. They can be reset though. Whether the AM is able to do that manually, or has to send out a reset email to the affiliate varies by software (but as the AM can change the account email, it's irrelevant if they wanted to do something nefarious). If you are an admin, you can hit "login as affiliate" and it will log you in as the affiliate. I have not logged into a Netrefer backend recently (or Mexos), so wouldn't want to comment on them.

    Going into the account directly is what most affiliate managers will do to pull links for you (pretty much every competent affiliate manager I know does this, as it prevents any chance of a manual error with pulling the wrong link for the wrong affiliate) and also to be able to see exactly what the affiliate is seeing when there are reporting queries.
    Hi Luke

    Thanks for this, this is the kind of insight I was looking for.

    I still think it is inherently wrong for anyone to be able to see a password. Yes an AM can get into an account by pressing 'login as affiliate' although that is at least restricted to the AM and staff at that programe - I have no real issue with this. As you say too an AM could change an email address if they wanted to do something nefarious, but this would at least create a trail back to that AM. If however AM's can access our passwords encrypted they could give them out to anybody who could then go and login.

  22. #13
    HodgeyBoy's Avatar
    HodgeyBoy is offline Public Member
    Join Date
    September 2008
    Location
    Staffordshire, UK
    Posts
    1,303
    Thanks
    160
    Thanked 104 Times in 44 Posts

    Default

    When you received your Username and Password in the email, was the password the original one that you had set or was it different?
    Consultant Affiliate Manager
    anthony@tag-media.org
    https://www.tag.media/

  23. #14
    Mattbar's Avatar
    Mattbar is offline Private Member
    Join Date
    July 2015
    Location
    London
    Posts
    670
    Thanks
    39
    Thanked 496 Times in 289 Posts

    Default

    Quote Originally Posted by HodgeyBoy View Post
    When you received your Username and Password in the email, was the password the original one that you had set or was it different?
    No it was the original password, I didn't ask for the details to be sent to me, this was an out of the blue email from them asking me to update a link on my site, nothing to do with my login details.

  24. The Following User Says Thank You to Mattbar For This Useful Post:

    HodgeyBoy (3 November 2016)

  25. #15
    universal4's Avatar
    universal4 is offline Forum Administrator
    Join Date
    July 2003
    Location
    Sinking Faster, just when I thought it couldn't get worse it did!
    Posts
    26,227
    Thanks
    1,704
    Thanked 7,552 Times in 4,765 Posts

    Default

    We should not have access to affiliates passwords and they are encrypted but we do have the ability to log into an affiliate account from our affiliate interface as the affiliate.

    We need this functionality in order to assist affiliates in pulling trackers, setting up campaigns getting them banners etc .. it also allows us to see what the affiliate is seeing by looking at their reports .
    This seems like a responsible way to handle things, and I would assume that when necessary authorized folks could log in to the affiliate's account.

    Very similar to the ay that Exchange and other email server admins can use an administrator's account and "impersonate" the user and log in and see things the way the user sees them.

    One would hope that the users with this sort of admin power is kept to a minimum and then very strong passwords are used.

    Rick
    Universal4

  26. #16
    HodgeyBoy's Avatar
    HodgeyBoy is offline Public Member
    Join Date
    September 2008
    Location
    Staffordshire, UK
    Posts
    1,303
    Thanks
    160
    Thanked 104 Times in 44 Posts

    Default

    I've never worked with affiliate software that allowed me to see a password so I'm surprised to hear this. I have had functionality that allowed me to change a password or trigger a reset link to be sent to an affiliate's email address.
    Consultant Affiliate Manager
    anthony@tag-media.org
    https://www.tag.media/

  27. #17
    yeahfree is offline Private Member
    Join Date
    September 2011
    Location
    Mars
    Posts
    226
    Thanks
    36
    Thanked 161 Times in 92 Posts

    Default

    passwords should not just be encrypted, they should be ONE WAY encrypted, this way it's saved into the database with encryption on it, without knowing what the unencrypted password might have been. if your database gets hacked, they only have a list of encrypted passwords. using the right encryption makes it impossible to do something with it.

    if passwords are known anywhere in plain text, and they will get hacked one day... we're all ******.

  28. #18
    FictionNet is offline Closed by Request
    Join Date
    December 1969
    Posts
    5,265
    Thanks
    1,435
    Thanked 1,260 Times in 654 Posts

    Default

    Quote Originally Posted by LukeC View Post
    If you are an admin, you can hit "login as affiliate" and it will log you in as the affiliate.
    I learn something new every day. I always assumed affy managers/staff could see our passwords.

  29. #19
    Mattbar's Avatar
    Mattbar is offline Private Member
    Join Date
    July 2015
    Location
    London
    Posts
    670
    Thanks
    39
    Thanked 496 Times in 289 Posts

    Default

    Imagine if this was your bank you would be in uproar, you wouldn't want your bank account manager to be able to see your passwords and login to your account directly would you. Now consider how often you hold thousands in an affiliate account - this is very bad practice.

  30. The Following User Says Thank You to Mattbar For This Useful Post:

    -Shay- (3 November 2016)

  31. #20
    baldidiot is offline Private Member
    Join Date
    January 2010
    Posts
    4,114
    Thanks
    400
    Thanked 1,864 Times in 1,218 Posts

    Default

    Quote Originally Posted by Mattbar View Post
    It's Bingocams, they run their own software I think.
    Did they ever get back to you about this?



    Quote Originally Posted by LukeC View Post
    With Income Access, MyAffiliates and HasOffers, the passwords are encrypted and cannot be seen by affiliate managers. They can be reset though. Whether the AM is able to do that manually, or has to send out a reset email to the affiliate varies by software (but as the AM can change the account email, it's irrelevant if they wanted to do something nefarious). If you are an admin, you can hit "login as affiliate" and it will log you in as the affiliate. I have not logged into a Netrefer backend recently (or Mexos), so wouldn't want to comment on them.
    Can any AM's with access to Netrefer or Mexos let us know if they can see passwords? Just whilst we're on the subject.
    onlinegamblingwebsites.com - Formally known as goodbonusguide.
    baldidiot.net - Baldys affiliate blog. Will get updated one day. Maybe.

  32. The Following User Says Thank You to baldidiot For This Useful Post:

    -Shay- (3 November 2016)

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •