Ask HN: Customer support asked for my login/password, what should I do?
I am using a device which syncs to the manufacturer's cloud (major brand, you would know them). I reported a potential bug to their customer support. They asked for my login/password to verify. The email headers appear legit, and they were not pushy when I proposed to send screen captures instead. What can I do to make the world a better and more secure place? Can you provide more details? What's the company, the device and what exactly is the issue you are facing? I am not sure about naming the company, as I'm not sure it would help them (but maybe?). The device is in the IoT/fitness space. I don't think explaining good security practices to a customer support person is going to help as they are just following their script. The bug is irrelevant to the security issue of asking for a password; it is not a security bug itself.