> Some guys are shaking their heads in denial on this, but I swear to god, I
> have seen it.  I am not making this [bleep] up.  Credit card numbers have
> been sitting for YEARS in some boutique home-rolled shopping cart system
> MySQL database with the oh-so-clever username/password of nobody/nobody or
> www/www
> I know what you are talking about, I have seen that type of tables with
> literally thousands of CC numbers collected over the years, along with name
> on the card and expiry, of course.
> As a programmer it is your duty to report this to your client and to keep
> track, because if one day someone resells this list, you could be liable.

*hahah* I've seen it too, in the database, and then the guy also had a
debug log that wrote the data to the log file. Bigger problem was that
the log file was xwrxwrxwr right smack in request land with no access
restrictions :/ He never turned the debug log off.

