Overview: I teamed up with some guys who run a website that links to tv-shows, I coded PHP for many years and increased skills by doing free projects like this. I get an IM this afternoon saying "check this out" it was a script being sold for $100+, similar to what I created, except with one feature my friend wanted a aggregation script. The intention, was to login to the demo and figure out the aggregation source and reverse engineer the solution for our own use. Once in the demo, if im honest I was impressed. Later I grew to know why, the developer is "well known" has done works for some well known persons and websites, a famous url shorter, a known affiliate link marketer, facebook marketing site and twitter who's who directory. And of course an active member on digitalpoint since 2007, his works have made it to well known blogs and print newspapers, thereby making his employers business and his reputation thrive. Im in the demo, it wasn't giving me much reverse engineer info so I want to another page in the demo admincp where their was data filled in. View Source and the password is their in plain text and still is, a reason ive not given identifiable information and a email should be wrote? right.. The password is ironic to what it is, so much that i thought it would not work. To say the least it did, I logged into one website, followed by another. Any works, any account, the developer used the same password. I logged in, clicked a page or two and logged out. So what is to be done? I could add a notification, to these many high ranking websites and blogs, gain some notoriety follow the path of Adrian Lamo. or I could email the guy, let him know and i'd presume he would be pissed. The problem with these is, VPN's are slow and so he has my identity, of course id defend that its their own fault for giving anyone the pass in plain text. The other option, is to ignore it. My identity will eventually be gone from their logs and anyone with more negative intentions could wreak havoc. That to me means, information about buyers on digitalpoint, information/code from his employers websites and as a whole a skilled developer ridicule for lapse in judgment and general **** security of his identity across the board. Note - Dev's should remove any data from the demos, remove all actions. - DONT use the same passwords for everything and anything, damage limation that if a password is revealed it wont reach your more "important" accounts. - Use different passwords, for access to your employers content, this was the shocker to me. - Im not saying im better and my sites should be tested. --- What advise would you give? How would you write the "I hacked your website(s)" email.