PSA. Don’t share your password in your app’s release notes

PSA. Don't share your password in your app's release notes

Excited to watch the Guardians of the Galaxy Vol 3 at the cinema, or see what all the fuss is around The Super Mario Bros Movie?

Maybe you’ll leap onto your smartphone, and click on the MyOdeon app to find out what films are playing at your local flicks.

Oh! The OdeonUK app has just been updated… I wonder what new features it has?

Myodeon release notes
Release notes for latest version of MyOdeon app.

What’s New
Version 5.09.500

Updated text
Added Delete function to the app Click on menu> then click on my profile> click on update your details > Delete account> you get a delete warning > then click yes
To test delete function please use this login account and delete
Email: [email protected]
Password: Odeon1234!

Err… that looks awfully like the credentials for a test account, and – if I’m not very much mistaken – “Odeon1234!” is a really very dumb password indeed.

My guess is that this username and password combo was supposed to remain private, and only used by Odeon’s internal technical staff – rather than shared with hundreds of thousands of movie buffs.

Sign up to our free newsletter.
Security news, advice, and tips.

Hopefully there’s no serious harm done by this, but all app developers should take care about what they post in their release notes – just in case it accidentally leaks any helpful information to ne’er-do-wells.

Hat-tip: Thanks to Fiasco on Twitter for bringing Odeon’s curious release notes to my attention.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.