PLEASE READ CAREFULLY !
Yesterday I had the opportunity to talk to a well known TM programmer and security specialist and he was nice enough to answer me an important question:

How do TM accounts get hacked today?
Back in the earlier days, a TM client revealed a bit too much information connecting to online servers and besides that, TM's player database was directly attacked by hackers to reveal huge listings of player logins + passwords.
These flaws were fixed a long time ago and luckily, people aren't stupid enough anymore to freely give away their account passwords to anyone else who promises to give them any bonuses like coppers or whatever.
So how does it still happen ?

Never underestimate the power of automation !
People lightly use important pieces of data (like passwords) in places of -unknown- security, for example to protect their selfmade driving tracks from beeing analysed by others. That's a common thing among trackmakers...

Have you considered someone using the information stored in that trackfile (playerlogin + a password) to try to login into your TM account ?
Could that be successful because you used the same password for your tracks and your TM account and even lots other websites ?
Have you ever considered the power of automated scripts, reading+processing thousands of tracks and testing the login/pw combinations within literally no time ?
You should....

Do server accounts get hacked as well ?
Yes, there are numerous methods to gain access to servers and server accounts, because server admins make the same stupid mistakes (leaving default values as logins/passwords) and by not protecting important configuration files against direct access from outside (and against beeing found by search engines like google!). And never forget that servers LOVE to talk to everyone who connects to the right ports.

This was just a small small insight to how people could get a hold of your account, these and other methods have been successfully (!) executed in the past and it's time for you to gear up your security measures.

4 simple hints for you !
- Don't use default values for passwords. Never.
- Don't use the same passwords at different important locations. Never.
- Always protect important configuration files against readability and beeing indexed by search engines.
- Never give your passwords to anyone else for whatever reason. Never.

wew, thanks for the info...

This is a bit like a bit like the message, don't do drugs son, coming from an alcoholic father, or rather, this is how we screwed up, but we are gonna blame you anyway.

Some of the hints are not practical. I always use default passwords for on-line accounts I couldn't care for. If the site gets hacked, then I have lost nothing. I use a select few strong passwords for accounts I do care about, and respect to have high security, and that's it. Simple and easy. A different password for all your different accounts is just not practical, and not needed.

i didn't write that for entertainment, but rather because i received a (rather funny) "live demo" of the hackability of TM accounts: lots of TM people are living on borrowed time.

You mean TM is on borrowed time.

Everyone here that has a track password that matched their TMX account was given a PM, and their account was frozen.

Never underestimate the power of automation !
People lightly use important pieces of data (like passwords) in places of -unknown- security, for example to protect their selfmade driving tracks from beeing analysed by others. That's a common thing among trackmakers...

This should read: Nadeo made such a poor job of encrypting passwords in track files, that basically we've screwed it up for everyone. Nevermind, we'll probably get a few more revenue sales from it, so it's not all bad.

hm, it still baffles me how little i am able to understand your ways.. but that's ok.