I just received an email from VGP (about Shiren 5) and immediately remembered this thread's constantly bringing it up how shoddy VGP's security is (like today). Let me give you an example.
This is the URL address that the email message listed for me with some parts censored with "YYY":
Code:
http://www.videogamesplus.ca/account_history_info.php?order_id=YYY&email_address=YYY
Basically, it's a page that tells everything about your order: your real name, your home address, your payment method, the things you bought, etc. Here's the catch:
you don't even need to be logged to see this. All you need to know is a combination of an existing order number and the associated user's email address to find out a gigantic leak of information about someone. And I found this out by simply clicking on the link on my work's browser (which had never logged into VGP), so if I realized this, consider it public knowledge for any of the maaaany phishers out there.
If you don't understand the seriousness of this issue, let me spell it for you: a bot can try a tremendous amount of order number/email combinations
per second until it finds a valid receipt with all its information to leak, probably including credit card information. I've contacted VGP regarding this (from their site), but more people seriously need to give them a hard time for this mess. It is not acceptable in any way.