SuperProf private tutor site massively fails password test, makes accounts super easy to hack

This isn’t super. The level of incompetence is astonishing.

SuperProf private tutor site massively fails password test, puts accounts in danger

SuperProf, which claims to be “the world’s largest tutoring network”, has made its newest members’ passwords utterly predictable… leaving them wide open to hackers.

SuperProf is a website that helps you find a private tutor – either online via webcam, or face-to-face. The site claims to have over three million tutors on its books, helping people learn languages, how to play musical instruments, or giving kids extra lessons in tricky subjects.

It’s not the only site which offers these kind of services. For instance, SuperProf has just taken over UK-based The Tutor Pages, and – to the surprise of many Tutor Pages teachers – migrated them to SuperProf.

Sign up to our free newsletter.
Security news, advice, and tips.

And, sadly, that account migration has been utterly incompetent from the security point of view.

Here is part of the email that SuperProf sent Tutor Pages teachers last night, giving them details of how they can login to their new SuperProf account:

Superprof email

Lets take a closer look at that email, specifically the part where it tells the recipient what their new username and password is.

Superprof barbara

Huh! That’s a funny coincidence isn’t it? The tutor’s name is Barbara, and her new SuperProf-provided password is “superbarbara”.

Let’s take a look at another one:

Superprof lisa

Hmm.. Clarinetist Lisa’s new SuperProf-supplied password is “superlisa”.

And the same password pattern was also true for Cardiff-based pianist Philip (“superphilip”), and others who got in touch with me.

I think you’re getting the picture. SuperProf has given temporary passwords to its newly-migrated users that are not just guessable, they are entirely predictable. They just shoved the word “super” in front of the user’s first name.

The message is clear to anyone who has woken up this morning to find they now have a SuperProf account: Change your password immediately.

I can’t find any official comment from SuperProf about their massive password failure, and they haven’t responded to my requests for comment.

The best I can find is a Facebook post where they own up to some “teething issues.”

Superprof fb

I don’t know if they yet realise that they have made a calamitous error with their new users’ passwords or not, or whether they’re referring to other complaints from the newly-migrated tutors.

Superprof complaints

One of the complainants is clarinetist Lisa, who contacted me to complain about the security failure, as well as SuperProf changing details on her profile:

“They changed my hourly rates, listed as “first lesson free” which I can’t remove unless I pay to upgrade and changed my password to something totally hackable. They’ve also removed all my student testimonials and my website link, which I’d paid for.

They changed my “heading” to saxophone when I’m a clarinet teacher and I can’t change that. They also contacted me by text, using the number I listed for student contact with Tutor Pages, which I never gave permission for, and are handing out my contact details to potential students, who I now have to contact to explain why my rates are higher than advertised, making me look like a scam artist.”

“It’s disgusting. Heads should roll at Tutor Pages for selling on our details like this without permission.”

SuperProf? You’ve failed.

Update:

Jon Superprof (surely that’s not his real name?) of SuperProf has responded to my requests for comment with the following statement:

Thank you for your vigilance and reaching out to us on this issue. We really appreciate it.

At Superprof we take security seriously and know how key it is to the running of our business.

Following your email we have taken action to reset all the passwords from migrated tutors accounts with random string characters (as of 4:47pm). We are sending emails to all tutors from The Tutor Pages explaining migration corrections and password reset. We also encourage users to connect to their account to modify their password.

We are also holding a backup of all tutor profiles from The Tutor Pages in case tutors would like us to re-migrate, or update information initially present in their TTP profile, that was not migrated to Superprof.

Below you can see a copy of the email that is being sent to users.

Password reset


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

8 comments on “SuperProf private tutor site massively fails password test, makes accounts super easy to hack”

  1. Roberto

    superprof.fr (french site) stores passwords in plain text.
    Just verified.

  2. Peter (not a tutor)

    So if Lisa, Barbara and Philip knew other tutors with the same surname they'd have the same password? What could possibly go wrong?!

    1. Somewhat worse than that I'm afraid.

      SuperProf gave folks passwords of the format "super"+<*first* name>

      So, everyone called Lisa, Barbara, and Philip was given the passwords "superlisa", "superbarbara", and "superphilip" respectively.

      Which, of course, also means that they don't have to have the same name as you for you to be able to work out their password.

      Superdumb.

  3. David Heath

    ..and the new 'random' passwords were sent in plain text in an email.

    What could possibly go wrong!!

    What I can't understand is why they couldn't keep the Tutor Pages site running while they did a migration in the background. All they'd have to do is a minor amount of journaling to capture changes after the snapshot was taken and roll those in at the end.

    This whole thing smacks of Dunning-Kuger gone rampant!!

  4. Féargus MC dermott

    superprof slips in a charge for the customer to bring their custom to a teacher – seems like they're milking the teet from both ends.

    And it's not just a one-off – these guy want 19 dollars a month AD INFINITUM from you, the customer.

    Begger's belief – the stones on these guys

    Also, you don't discover this vile practice until after you've spetn time composing an introduction to a tutor that you've selected.

    Seller of Service pays for advert – Customer reads and gets in touch. Simple as.

    Buh-bye superprof.

  5. Jhon Kyle

    Hello Graham,

    I have faced the same issue during the sign-in process, I can't even use my superprof a/c and when I am using the forgotten password option that is also not working. So, I switched to LearnPick, their system is highly verified and I got students lead in Cape Town near my area. Here, I wanna suggest everyone do the same if you really want some tuition jobs.

  6. Ben

    I'm being randomly spammed by SuperProf text messages. Any idea how to stop it?

  7. Rita L DiVenti

    Super prof is a scam . I was looking into getting some computer tutoring . I never spoke to anyone . I called their number and was told no one could be reached at that number I never had the opportunity to even ask if computer tutoring was on their agenda . I never received any services . All iI received was a bill on my AmEx for $49.00 and Am Ex won’t help me

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.