PSA. Don't share your password in your app's release notes

Excited to watch the Guardians of the Galaxy Vol 3 at the cinema, or see what all the fuss is around The Super Mario Bros Movie?

Maybe you’ll leap onto your smartphone, and click on the MyOdeon app to find out what films are playing at your local flicks.

Oh! The OdeonUK app has just been updated… I wonder what new features it has?

Myodeon release notes
Release notes for latest version of MyOdeon app.

What’s New


Version 5.09.500

Updated text


Added Delete function to the app Click on menu> then click on my profile> click on update your details > Delete account> you get a delete warning > then click yes


To test delete function please use this login account and delete


Email: [email protected]


Password: Odeon1234!

Err… that looks awfully like the credentials for a test account, and – if I’m not very much mistaken – “Odeon1234!” is a really very dumb password indeed.

My guess is that this username and password combo was supposed to remain private, and only used by Odeon’s internal technical staff – rather than shared with hundreds of thousands of movie buffs.

Hopefully there’s no serious harm done by this, but all app developers should take care about what they post in their release notes – just in case it accidentally leaks any helpful information to ne’er-do-wells.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.
Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.