Tabroom is a really big piece of software. It’s also an old one. That means that every single person who had access to tabroom for any reason up until this point has a chance to break or leak something accidentally.

How did you find this?

That is pretty much what happened. I was trying to help my friend link their tabroom account to their NSDA one, and I found a document of how to do it. Unfortunately, since I am not an advisor for my school I could not link the accounts. However, on that document it listed credentials for what I assumed to be an account for the tutorial. When I attempted to login with the credentials, it surprisingly worked.

What was on the account

I originally assumed it was a sandbox account and that nothing would save if I edited it. I wanted to make sure though, so I went through some of the tabs. In the judges tab, I found a list of a surprising number of NSDA staff and members emails and phone numbers. At this point, I notified tabroom. (And never saved any info)

20:57 UTC

Hello! I was trying to help my friend link their tabroom to an NSDA account and stumbled upon the tutorial which has the username and password of the nsda test school advisor account. 
I was worried that it shouldn't be public since it lists the emails and phone numbers of many NSDA members and staff in the judges tab (https://www.tabroom.com/user/chapter/judges.mhtml?chapter_id=48604).

Sincerely,
Ross Wheeler

Response

I have to give tabroom a lot of credit here as they responded on a national holiday in 30 minutes

21:29 UTC

Thank you for your email and for bringing this to our attention. We have updated the login information for that account and it is no longer accessible with the password on that document. We appreciate you letting us know

What to learn

Software grows and as it grows so does the chance that a small mistake or even non-issue in the past turns into a security flaw in the present. But, for such a small team they have come a long way :)