1 reviews & complaints.

Most Popular | Newest | More Options >
More filter options:
Posted by on
So our wedding photographer uses the site Pictage.com to host his photos for his customers and their family/friends to view and purchase from. In order for me to view my own photos on that site, I was required to join. That is, I was required to create a user name and password. When our wedding photos were posted online, they sent me an email to notify me of it and included my user name and password for reference (not uncommon). HOWEVER, they took it upon themselves to COPY OUR PHOTOGRAPHER ON THE EMAIL. Yes, that's right. They apparently thought they had the right to share my password with another individual without my consent. I, like a lot of people, use a universal password. That is, I use the same password for nearly everything I do online. So that means that my photographer (although I have no reason to necessarily distrust him) now has my log-in information for EVERYTHING that I do online. That is how phishing works, for those of you who may not know. They get you to enter a password for ANYTHING and then try using your email address and password to hack into your bank account, your PayPal account, etc., etc.

I sent Pictage the following email about it:
When sending me an email to notify me that my event was online, Pictage included my password in the email and copied the photographer on the email. I have a HUGE moral problem with being sent an email containing my password when this email is also being sent to a third party. That practice is HIGHLY irresponsible and unethical. Please CEASE this practice IMMEDIATELY. I expect to hear back regarding this matter in a timely fashion.

They responded this way:

Thank you for contacting Pictage! We include your photographer in the email because they are the ones who are helping you with your Event most of the time. We try to make sure that you will be able to access your photos whenever you would like, and if you are having techinical problems, you would be able to contact both us and your photographer if one or the other is not available. You can always change your password in "My Profile" located in the upper-right hand portion of the screen once logged in.
If you would like to make a suggestion, please email ideas@pictage.com, where we log and record all of our consumer's and photographer's suggestions.
Thank you for your time and patience, and have a wonderful day!

DO NOT USE PICTAGE! I intend to report them to the BBB and anyone else I can think of. Any suggestions, feel free to express them.
Read 20 RepliesAdd reply
User Replies:
GothicSmurf on 07/11/2007:
If you haven't already, change your passwords for everything else you have.

Using one password for things isn't a good idea, no matter how easy it is for you.

If you haven't' contacted the website yet, do so now and make sure you include a copy of their privacy policy and terms and conditions!

Sarah May on 07/11/2007:
Lucky for me I don't bank online and so there's no risk of financial loss. I have reported them to the BBB.
spiderman2 on 07/11/2007:
Using the same password for everything online is a huge mistake. When you change all your passwords, use different ones for different things.
Starlord on 07/11/2007:
If you know that is how phishing works, why do you have qa universal password? I thought the purpose of a password is to protect your data. If you used a unique password for your pictures, the only thing the photog could access would be the photos. Change your password(s) and don't use a universal.
CrystalSword on 07/11/2007:
Good one GB
Gannon_banned on 07/11/2007:
If you think that's what phishing is then you really need to re-evaluate what you think you know about the web. Phishing is INTENTIONALLY misrepresenting (read: fraudulently) one's self as someone else in order to steal information from another source. The website does have a very bad governance and data policy... but it certainly is not phishing for information. Now, if the photographer set the site up with the purpose of just collecting login information... well... that wouldn't work all that well, because even if the site got A user name and password, that doesn't mean that it's the same one a person uses everywhere else. Phishing usually goes for important data like SSNs, credit cards or login accounts to sites that contain that data (PayPal, etc.) Knowing is half the battle.
jktshff1 on 07/12/2007:
here is a neat password creator and it's free
FoggyOne on 07/12/2007:
I know, I know - a different password for every account - site. How do you remember them? I know - write them down on a piece of paper and paste it on the bottom of your keyboard. KIDDING!! I have standard ones and keep track of the first letter, that tells me what the rest is. On my list I have the site (YAHOO mail), userid, password hint like C. I know C is always CENTURY99 or B is always BOZO9999 where the '9' can be month, year, age, etc. If anyone looked at my list they would have a hard time deciding what C expands to but I know instantly. Just an idea.

To the original poster - I agree entirely. The company was very unethical in giving your password to anyone other than you. There reasoning is greatly flawed.
Sarah May on 07/12/2007:
Okay, wow I had no idea there were so many comments. I'll start with the one that needs addressing the most. Gannon_banned, before you begin spouting off a "lecture" on a topic that most everyone here understands anyway, it would be a good idea to read what it is that you're commenting on. As you put it, knowing is half the battle.
I said "That's how phishing WORKS, They get you to enter a password for ANYTHING and then try using your email address and password to hack into your bank account, your PayPal account, etc., etc." I didn't say that phishers acquire passwords from individuals who are willing to give them knowingingly away. The point being made was that someone who has phished a password for ANY LOGIN online will then try that password for other known sites and eventually find something worth the time. I don't need to be talked down to, Gannon, I'm as tall as you are.
Sarah May on 07/12/2007:
Also, to everyone who has made or plans to make the comment, YES I know that using a universal password is not a smart thing to do. The point of this review is that a company did something unethical. As starlord said, if I used a unique password for Pictage, the only thing the photographer would be able to access is the photos and my personal bookmarks for the photos. That is entirely true. But does that make it okay for the company to give the photographer my password? Absolutely not!
Gannon_banned on 07/12/2007:
I will assure you that you are FAR FAR from my height. Unless, of course, you have a terminal degree in Information Systems, but otherwise you can't even fathom my level. You are still wrong, period. Phishing is trying to capture information by using a fraudulent means. The key word is FRAUD. What you signed up for, is also what you got. What they did with the information was not to your liking, which you may have even agreed to in the terms of service, but it is not 'phishing' in any form. I don't agree with their policy, and you certainly have a right to call them out on it, but you should use the correct terminology. In our active directory system, when a user joins or moves within a group, their password is sent to everyone in the administrators group. Is that phishing? Get a grip!
Sarah May on 07/12/2007:
Again, please TRY to understand what I am saying. I did NOT say, imply, or believe that the act was phishing. I said that this is how phishing WORKS, as in, obtaining a password (the means is not the point) for one site will allow someone to access information at a number of other sites should you use the same password. The word "works" is used to imply success, not a general functioning. And really, your degree does not make you taller. Promise.
jktshff1 on 07/12/2007:
Hope this helps the 2 of you resolve this.
From Wikipedia, the free encyclopedia
Jump to: navigation, search
This phishing attempt, disguised as an official email from a (fictional) bank, attempts to trick the bank's members into giving away their account information by "confirming" it at the phisher's linked website.
This phishing attempt, disguised as an official email from a (fictional) bank, attempts to trick the bank's members into giving away their account information by "confirming" it at the phisher's linked website.
A Geocities web page duplicating the Yahoo! login page.
A Geocities web page duplicating the Yahoo! login page.

In computing, phishing is a criminal activity using social engineering techniques.[1] Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. eBay and PayPal are two of the most targeted companies, and online banks are also common targets. Phishing is typically carried out by email or instant messaging,[2] and often directs users to give details at a website, although phone contact has been used as well.[3] Attempts to deal with the growing number of reported phishing incidents include legislation, user training, and technical measures.
jktshff1 on 07/12/2007:
This ones from Webopedia
(fish´ing) (n.) The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information.

For example, 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user’s account was about to be suspended unless he clicked on the provided link and updated the credit card information that the genuine eBay already had. Because it is relatively simple to make a Web site look like a legitimate organizations site by mimicking the HTML code, the scam counted on people being tricked into thinking they were actually being contacted by eBay and were subsequently going to eBay’s site to update their account information. By spamming large groups of people, the “phisher” counted on the e-mail being read by a percentage of people who actually had listed credit card numbers with eBay legitimately.

Phishing, also referred to as brand spoofing or carding, is a variation on "fishing," the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting.
Sarah May on 07/12/2007:
It really doesn't. Because, as I've been trying to explain for three comments now, I wasn't calling the act phishing. I don't believe it to be. My point was that a password, for many, many people, can be used to log in to more than one site. Meaning that if someone were given my password for Pictage, they could try the same email and password combo for PayPal *just like a phisher would* There's an example thereof a Yahoo! page being duplicated. What harm can come from someone having your Yahoo! login? Not much. But if you use the same password for Yahoo! as you do for your online banking, than the consequence can be catastrophic. That's my point. Ugh.
Sarah May on 07/12/2007:
And since definitions seem to be the thing, here's the one that actually matters:
work –verb (used without object)
1.to do work; labor.
2.to be employed, esp. as a means of earning one's livelihood: He hasn't worked for six weeks.
3.to be in operation, as a machine.
4.to act or operate effectively: The pump will not work. The plan works.
See definition 4. As in, "Yay, it works!" or "How's that working for you?"
I meant "work" as in, "This is what makes phishing *successful* If they've got your password for one thing, they can probably use it for another."
Anonymous on 07/12/2007:
Sarah May, I really don't understand how this turned into a "phishing" expedition. I think some people are focusing on the wrong thing, here.

I'd be just as peeved if my login info/password was shared with another individual(w/o my knowledge).

I think Sarah May is merely trying to warn others about what *might* happen to you with certain photography services. It's a fair warning, in my opinion. Just because she used the term "phishing" does not negate the complaint.
Sarah May on 07/12/2007:
Thank you, emt. Apparently my wording doesn't suffice in expressing that the term was used to relay a possible end result only. But you're absolutely right, this has nothing at all to do with terminology. There is a danger in someone having your password for any site and the danger goes beyond what can happen within the site. And yeah, it's definitely a peeve-worthy occurrence to have it simply given away by those who work for the site. I'd honestly feel better about it if it were phished; at least then it would be my own fault.
jktshff1 on 07/12/2007:
emt hit the nail on the head!
sm did make a good point!
Anonymous on 07/18/2007:
Are you referring to this pharase ghostbuster "And really, your degree does not make you taller. Promise." That's just an expression, Sarah May is not commenting on how tall he is, she is basically saying that a degree does not make him/her any better than herself.

Sarah May - From now on I would advise you to user a different password for every site you join. That way if someone guesses one they can't guess the other. It may be hard to remember which ones you use, but hopefully this will help in the future. Not that I agree with them giving your password without your permission. Have you contacted a lawyer for this.
Close commentsAdd reply
Top of Page | Next Page >