Passwords stored in plain text

[hankertrix]

This should not even be happening in the first place. Replit clearly doesn’t take security seriously at all if they have user passwords stored in plaintext somewhere on their systems.

[codingMASTER398]

Noreplit.com has expired! Sorry ;-; it's safe to say that nobody really uses it anymore, at least the audience that would be worried about what was on there.
I totally agree though. Plaintext passwords is extremely baffling.

[hankertrix]

An update about the situation if anyone is interested:

Hey, Scott from Replit here. I can see how this email is scary or worrying, we're always trying to be transparent about these things. But I can also see some misunderstandings so we could have been more clear. I can share more of what happened.

We always store passwords encrypted using the current industry best practices (a one way hash plus salt), using secrets that we carefully guard. This code is also regularly audited.

What happened here was that in a specific scenario (password reset), the new password was sent securely to our server, but the entire incoming request was logged (before password encryption) and ended up temporarily in our logs. Only Replit employees have access to those logs.

This was discovered as part of a security audit, after which we removed the logging statement and historical logs. Then we let users who could have been affected know to update passwords, just to be safe.

So this email went to anybody who did a password reset in the period of time that logging statement was live in our codebase. We don't see any evidence that anybody read the passwords (outside of our security audit), but we recommended the reset out of an abundance of caution.

Link to the Reddit comment.

Still not great, but not as terrible as storing passwords in plain text.