Obviously I do not want to get too specific about this organization.
In response to a password reset request, they sent me back my current password, in plain text. Correct me if I’m wrong here, but their sending back my actual login password in plain text means that they are receiving and storing passwords in plain text on their end, somewhere. Which I also believe is a sizeable security flaw, and indicates that at some important point in the chain, maybe several, no cryptographic standard is being used at all.
My goal here is to try to most efficiently contact the organization to give them a heads up to correct this before that happens.
How do I constructively phrase the help request here? Who do I direct it to? To who, if anyone, should I not direct it?
I’m kind of at a loss here, but I’d like to have a plaintext username/pw info sitting around that links directly to my uploaded financial docs.