SuperProf acquisition email

SuperProf, a website that provides tutoring services on various topics, has acquired a fellow service, The Tutor Pages, and migrated its userbase to its own service.

This migration from The Tutor Pages to SuperProf's infrastructure involved creating new user accounts and new passwords.

But unlike most websites on the Internet today, reports indicate that SuperProf did not generate random passwords for its users, but instead put together passwords that are made up of the word "super" and the user's surname, in the format of "superjohn" or "superjane."

SuperProf new password email
Email received by a new SuperProf user containing her new password [via Graham Cluley]

"[The] account migration has been utterly incompetent from the security point of view," said Graham Cluley, a UK-based security blogger.

"The message is clear to anyone who has woken up this morning to find they now have a SuperProf account: Change your password immediately," Cluley wrote in a blog post documenting SuperProf's epic fail.

But the issue doesn't appear to be limited to SuperProf setting easy-to-guess passwords for old The Tutor Pages users. Some of these users are also griping about SuperProf changing some of their profile courses details and then asking users to pay a premium account fee to set them back to their initial settings.

Currently, SuperProf's Facebook page is slowly filling with disgruntled users seeking a way to delete their accounts and getting money back from any leftover The Tutor Pages premium accounts.

UPDATE [12:45 ET]: Following an inquiry from Bleeping Computer, a SuperProf spokesperson said they have reset the passwords for all the recently migrated Tutor Pages user accounts. Full message below.

Following your email we have taken action to reset all the passwords from migrated tutors accounts with random string characters (as of 4:47pm [GMT]). We are sending emails to all tutors from The Tutor Pages explaining migration corrections and password reset. We also encourage users to connect to their account to modify their password.

We are also holding a backup of all tutor profiles from The Tutor Pages in case tutors would like us to re-migrate, or update information initially present in their TTP profile, that was not migrated to Superprof.

Related Articles:

Mozilla Launches Firefox Monitor Data Breach Notification Service

Files With 42 Million Emails and Passwords Found On Free Hosting Service

Vodafone Tells Hacked Customers with "1234" Password to Pay Back Money