SuperProf, a website that provides tutoring services on various topics, has acquired a fellow service, The Tutor Pages, and migrated its userbase to its own service.
This migration from The Tutor Pages to SuperProf's infrastructure involved creating new user accounts and new passwords.
But unlike most websites on the Internet today, reports indicate that SuperProf did not generate random passwords for its users, but instead put together passwords that are made up of the word "super" and the user's surname, in the format of "superjohn" or "superjane."
"[The] account migration has been utterly incompetent from the security point of view," said Graham Cluley, a UK-based security blogger.
"The message is clear to anyone who has woken up this morning to find they now have a SuperProf account: Change your password immediately," Cluley wrote in a blog post documenting SuperProf's epic fail.
But the issue doesn't appear to be limited to SuperProf setting easy-to-guess passwords for old The Tutor Pages users. Some of these users are also griping about SuperProf changing some of their profile courses details and then asking users to pay a premium account fee to set them back to their initial settings.
Currently, SuperProf's Facebook page is slowly filling with disgruntled users seeking a way to delete their accounts and getting money back from any leftover The Tutor Pages premium accounts.
UPDATE [12:45 ET]: Following an inquiry from Bleeping Computer, a SuperProf spokesperson said they have reset the passwords for all the recently migrated Tutor Pages user accounts. Full message below.