Web hosting outfit Heart Internet has caused security-conscious customers to skip a beat by sending them a handy text file email attachment containing other people's new passwords.

Last week Heart Internet decided to reset a bunch of FTP and eXtend passwords that had not been changed by their account owners for "an extended period".

Its explanatory email said: "Attached to this email is a file list showing all domain names which have had their password changed. The new password is shown next to the domain name." Thing is, the .csv file attached contained not only a list of all the domains affected, but also every new password.

It's unclear how many customers have been affected by the blunder, as Heart Internet has been somewhat shy about discussing it.

According to one Reg reader who asked to remain anonymous, Heart Internet re-sent the email about one hour later, this time with only his new password in the attachment. Stable doors and horses seem apposite.

Nottingham-based Heart Internet was founded by Jonathan Brealey and Tim Beresford, who also set up and flogged major UK hosting players WebFusion and 123-Reg.

The firm's bosses have not returned any of half a dozen calls from El Reg. We can't imagine why. ®

Related stories

• Updated Fasthosts' dedicated servers go titsup (15 April 2008)
• Fasthosts primes another password reset (13 December 2007)
• Fasthosts customers still frozen out of websites (5 December 2007)
• Fasthosts customers blindsided by emergency password reset (30 November 2007)
• Updated 123-Reg takes weekend off (19 November 2007)
• Fasthosts admits email destruction fiasco (17 October 2007)
• 123-Reg denies problems (31 January 2007)
• 123-Reg says sorry (18 December 2006)
• 123reg.co.uk restores customer email after DNS botch (29 November 2002)
• DNS mega-hack hits thousands of sites (14 September 2001)