Glenn Lopez

To Potential Customers:
When I did a "forgot my password" they sent me my actual password in plaintext instead of giving me a link to reset it.

This indicates that USA2Me is NOT hashing and salting passwords and is either storing passwords in plain text database or using reversible encryption. This is considered a poor security practice because it allows passwords to be easily exposed if the database is compromised by a disgruntled employee, or hacker.

Hashing is a one-way function that transforms a password into a fixed-length string of characters, which is not reversible. This means that once a password is hashed, it cannot be decrypted back to its original form.

Encryption, on the other hand, is a two-way process where data can be transformed into a ciphertext and then decrypted back to plaintext using a key. If a website uses encryption for passwords, it means that the original password can be retrieved if the encryption key is available.

Considering they need a lot of info from customers to comply with federal regulations, I would consider them a ticking time bomb. I would be careful handing anyone with poor security heigine any of your personal info.

Update: Changing plaintext password emailed to you to a password reset link does not solve the major flaw of storing un-hashed passwords in any database.

USA2Me.com does not publicly share any third-party security certifications, such as SOC 2 or ISO 27001 or publish any of their security audit findings. Be warned that anything they/or any company claims about data-security is just hear'say until proper documentation and audit findings prove otherwise. Again, I would be VERY CAREFUL handing them any personal information.

If any company is willing to sweep major security flaws under the rug and pretend encryption is the same as hashed passwords, they should probably be avoided.

To USA2Me:
USA2Me has been providing mail forwarding services for over 20 years, which means they have accumulated a significant amount of customer data over time. This data could be valuable to hackers looking to sell it on the black market, posing a potential risk to both customers and the company itself. If USA2Me is aware of security vulnerabilities but fails to address them, they could face serious consequences if they are breached. Consider the following:

SOC 2 (Service Organization Control 2) is a security standard developed by the American Institute of CPAs (AICPA) that focuses on controls related to security, availability, processing integrity, confidentiality, and privacy.

To obtain SOC 2 certification, a web service undergoes an audit by an independent third-party auditor to verify that their security controls meet the SOC 2 criteria.

SOC 2 certification provides assurance to subscribers that the web service has robust security measures in place to protect their data.

ISO 27001 is an international standard that specifies requirements for an Information Security Management System (ISMS).

To become ISO 27001 certified, a web service must establish, implement, maintain, and continually improve an ISMS, and undergo an audit by an accredited certification body.

ISO 27001 certification demonstrates that the web service has a systematic approach to managing sensitive information and is committed to continuous improvement of its security practices

By obtaining these third-party certifications, web services can provide subscribers with independent verification of their security controls and commitment to data protection. This can help build trust and confidence in the web service's security hygiene.