No announcement yet.

Dear Betfair - What should have happened was....

This topic is closed.
  • Filter
  • Time
  • Show
Clear All
new posts

  • Dear Betfair - What should have happened was....

    We advised Betfair on the details of a serious security flaw in a software product was compromising Betfair customers user names & passwords. The product should have been switched off immediately & affected customers informed ASAP that day their passwords had been compromised and needed to be changed. Anything else would be a secondary consideration. The product could have then been fixed, fully security tested and then switched back on again. Or you would think right?

    What's new in version 1.2

  • #2
    What actually happened was..

    Wrong. Betfair had some meetings, told the vendor to correct immediately, expended massive resource into CMA, BS, Reccomendations, Lessons Learned, Priority Classifications and of course planning more meetings. They finally pulled the product after 3 days.{ I'm guessing that's because either the fraud, security, platform, & corporate horseshit departments finally found the off switch, or a strange looking geek allegedly held a gun to their head with the threat of public disclosure when he notified them again it was still compromising peoples passwords! }

    Betfair then somehow manage to turn an advertised "up to 6 week" software security certification process around in a record sub 6 hours. :WTF { That would be the same security processes that couldn't pick up on this piss easy to detect security hole then chaps? }

    Had some more {extremely heated} meetings and after 6 days from when they realized customer accounts had been compromised, Betfair had managed to achieve the significant milestone of "composing an email", which they said would be delivered the next day. { Go figure, they can do a full software security test in record time, but 6 days and how many meetings to compose an eMail FFS? }

    The software vendor themselves are not bothering to inform their users / customers that for the past 6 weeks their software has been regularly compromising peoples usernames and passwords, blaming the downtime on the Betfair API team instead of apologising to people & advising them to change their passwords ASAP. Geek finally loses it, { AKA } and goes and chews vendors arse off on a couple of forums exactly one week after Betfair notified the vendor of the breach. First he tries to discredit me, then passes on some bullshit virus story to the natives to publish, finally making a complete horseshit announcement some hours later that totally avoids the issue. Then when the penny finally drops that I really am fully aware of and extremely angry about the details of this and their behaviour around a couple of other serious security & privacy breaches, finally makes an admission announcement on both forums 30 hours later with how user security is their top priority.

    And finally with another alleged gun to their head, Betfair { on a Sunday when no one is really working } magically in a dark corner of the cleaning cupboard in Hammersmith, finally found the department that knew how to send a bulk email. Then a few more meetings later { Probably }, and after 9 whole days from when they realized customer accounts had been compromised, the following was finally received by affected customers. { Well by Richard & I anyway. } .........

    What's new in version 1.2


    • #3
      What finally happened was...

      Dear Customer,

      Betfair has been made aware that customers who had been using a third party software application called ‘**********’, may have had their Betfair username and password transmitted unencrypted while logging in to **** using this third party application.

      Under normal circumstances all customers’ usernames and passwords are encrypted between third party applications and Betfair. However for anyone using this third party application to access ****, this was not the case for a limited period of time.

      Betfair takes all matters relating to the security of its customers’ data with utmost seriousness and has contacted the creators of ‘**********’ to ensure that appropriate remedial action is taken to fix the problem with their software application. A new version of the third party **** software has now been released in which usernames and passwords are handled correctly.

      Whilst there is no indication that your username and password has fallen into the hands of an unauthorised third party, we do recommend that you log in to the Betfair website and change your password as a precautionary measure as soon as possible. This will help to ensure that your account security continues to be maintained at the highest possible level.

      When changing your password, we recommend that you use a new password which is at least 8 characters long and contains a mixture of upper and lower case letters, numbers and special characters.

      We strongly advise all of our customers to change their passwords regularly as part of secure online habits.

      This issue only affects a small number of Betfair customers who have used the third party software application called ‘*********’ to access ****. No other Betfair customers are affected by this issue.

      For more information or if you would like to speak to a member of our Helpdesk team, please call 0844 871 0000 (UK customers) or email

      The Betfair Team

      ================================================== ================================================== ============================

      Caro XXXXX,

      A Betfair tomou conhecimento que, por um breve período de tempo, o nome-de-utilizador e palavra-passe e de alguns clientes que tenham utilizado o software desenvolvido por terceiros “*****” poderão ter sido transmitidos sem encriptação durante o início de sessão no *** da aplicação de terceiros.

      Em circunstâncias normais todos os nomes-de-utilizador e palavras-passe dos clientes são encriptados entre aplicações de terceiros e a Betfair. No entanto, para os utilizadores do **** através da aplicação de terceiros não foi momentaneamente esse o caso.

      A Betfair atribui a maior seriedade a todos os assuntos relacionados com a segurança dos seus utilizadores e contactou a ***** de forma a garantir que foram tomadas medidas correctivas apropriadas para que fosse resolvido imediatamente a questão no software da aplicação. A aplicação desenvolvida por terceiros ***** já lançou uma nova versão do software na qual o nome-de-utilizador e a palavra-passe são tratados de forma correcta.

      Não há qualquer indicação de que o teu nome-de-utilizador ou palavra-passe estejam na posse de estranhos, no entanto, recomendamos que inicies sessão na tua conta e alteres a tua palavra-passe, apenas como medida de precaução. Isto ajudará a garantir que a segurança da tua conta continua a ser mantida ao nível mais elevado possível.

      Quando alterares a tua palavra-passe, recomendamos que cries uma senha forte, que deverá ter no mínimo 8 caracteres e deve ser uma combinação de letras maiúsculas e minúsculas, números e caracteres especiais.

      A Betfair aconselha vivamente todos os clientes a alterar as suas palavras-passe regularmente como parte de um hábito de navegar online de forma segura.

      Esta ocorrência afectou apenas um pequeno número de clientes que utilizaram a aplicação desenvolvida por terceiros denominada “*****” ao acederem ao ****. Não houve qualquer outro cliente Betfair afectado.

      Para obter mais informações ou se desejares entrar em contacto com a equipa de Apoio ao Cliente, contacta:


      A Equipa de Apoio ao Cliente Betfair

      What's new in version 1.2