Betting platform BetVictor, which has estimated turnover in excess of £1 billion and half a million customers in more than 160 countries around the world, left a password list for its internal systems on its website.
The document, titled “Logins/Links to Back Offices – Internal”, contained a list of links to back office systems, including passwords to the company’s trading platform, support ticketing system, and Experian’s identity verification service. Many of the systems were accessible externally, and eleven of the passwords were in the Pwned Passwords dataset.
Security researcher Chris Hogben found the document through the customer support search box on the company’s website. He said that the document dated back to 2015, though it wasn’t clear how long it was publicly available online.
Other internal documents were also accessible through the search box, such as guidance for support staff dealing with a disgruntled customer.
The document was pulled from the site after Hogben alerted the team to the problem.
“We are still investigating this matter with our third party suppliers and cannot answer any specific questions at this point in time,” a spokesperson for BetVictor said.