Hope it's not a repost but this is brilliant... although putting it up in my office wouldnt change anything. Password123 was there before me and it'll be there after me.

"I really love the new $3k Fortigate firewall switch you bought for the office after our chat about security but it doesn't change the fact that you can access any computer in the company using Password123" - me

So, a rather unfortunate bug on the Minecraft website.

Minecraft allows you to change your name every 30 days. I was reverse engineering their API so I could use it personally.

On the username change form there are two fields: your desired username, and your password.

To protect myself from actually changing my name, I purposefully put in password123 so that it would fail. Then, I clicked "Change name" to monitor the network traffic.

Well that's when two unfortunate things combined.

#1: I used my last name to test. It's a unique word that is relatively short and very easy for me to type out of habit.

#2: That password field doesn't actually get validated.

So imagine my shock when I clicked "change username" and it WORKED.

And now my username is doxxing me for at least 30 days + the permanent name history

FUCK me

***ILLEGAL***
so its IPL(cricket) season in india, there is a OTT service called hotstar (its like netflix of india), the cricket streams exclusively on hotstar..
so a quick google search reveals literally thousands of emails & passwords, found a pastebin containing 500 emails&passwords ...but those are leaked last year most of passwords are changed & many of them enabled 2FA.. after looking through them we can find some passwords are similar to their emails , some contains birth year like 1975,1997 etc, some passwords end with 123 ..so after trying a few different versions of the passwords like
1) password123 -> password@123, password1234
2) passwordyear -> password@year
2) for passwords similar to emails, we can add 123 ,1234, @ etc
created a quick python script for sending login requests

so after like 30-40 mins of work, i have 7 working accounts

*for those who have basic idea of security practices you can skip this part

lessons learnt
1) enable 2FA
2) use strong passwords, if you change your password , new password should be very different from the old one

there are several thousands of leaked plaintext passwords for services like netflix,spotify, hulu etc, are easily available using simple google search,
after looking through & analysing thousands of them you can find many common passwords , common patterns
they may not be as obvious as password ,password123 but they are easily guessable.
mainly this is because these type of entertainment services are used by the average joe, they dont care about strong passwords, 2FA etc

This night I had nightmares about our codebase.
After the deadline I should seriously suggest some refactoring.