Skip to main content

Activision denies storing Call of Duty Elite passwords in plain text

But promises to change password recovery procedure.

Dark blue icons of video game controllers on a light blue background
Image credit: Eurogamer

Activision has denied storing Call of Duty Elite passwords in plain text - but has admitted emailing them to customers in plain text form when they ask to recover them.

We were sent our Call of Duty Elite password in plain text form in an email after asking the PlayStation 3 and Xbox 360 stat tracking and social platform to retrieve it. The email is below.

This suggests Activision either stores player passwords on its servers in plain text format or in some retrievable version - and that if hackers were to find a way inside Activision's servers, they could use them.

But Activision insisted it encrypts all customer data.

"All Call of Duty Elite personal data, including passwords are saved and stored using encryption," Activision told Eurogamer.

"Call of Duty Elite does not store any sensitive data in plain text. Currently, the only time passwords are sent in plain text is upon request from the registrant and only to the registered email address."

Most companies that store information use one-way encryption software that ensures they never actually know what their customer passwords are.

Now, Activision has promised to stop sending passwords in plan text. "We are in the process of altering our password recovery procedure so that passwords are no longer delivered in plain text," the company continued. "That change will be implemented as soon as testing is completed."

One million people pay for the premium subscription to Call of Duty Elite, which costs £35 a year. But over four million have registered.

"Password management is the bane of the IT security administrator," Robert Siciliano, CEO of IDTheftSecurity.com, told Eurogamer.

"But it doesn't need to be. Systems where the users email is used to send a password change request that requires the user to enter a new password is much more effective and secure than transmitting an unencrypted plain text password via email."

Read this next