On their website, go to the sign in screen and click “Need help signing in”. Go through the prompts and watch the person’s username, and the legal name of all their employers (who have ever used ADP) appear on the screen.

Note: Whether or not you select “my current employer uses ADP”, it will still show you the full list of both current and previous employers (who use ADP).

From there, it is remarkably easy to gain access to paycheck information if you are a grocer, a landlord, a retailer, or anyone of the 2737429193 entities who may have a little extra data on them.

Edit: To address some of the comments, I feel I need to clear something up. I’m not saying this is some authoritarian configuration error ADP messed up on. It’s a standard login that works conveniently for ADP and also happens to be negligent in privacy protection. And it’s most likely completely legal for most people in the U.S.

  • Onno (VK6FLAB)
    link
    fedilink
    arrow-up
    19
    arrow-down
    1
    ·
    3 days ago

    Effective for whom?

    The users who’s data was disclosed, or the company that made the disclosure?

    • Serinus@lemmy.world
      link
      fedilink
      arrow-up
      8
      arrow-down
      2
      ·
      3 days ago

      Well, this leak is out there now for whoever decided to use it. And it’s being publicized. That doesn’t seem good for the people having their payroll data leaked.

      • Aslanta@lemmy.worldOP
        link
        fedilink
        arrow-up
        10
        arrow-down
        2
        ·
        3 days ago

        Hey, now. Don’t go blaming the person who is calling attention to negligence of another. 5 years ago, ADP had user support service to handle login issues. But with the diminishing right to privacy in recent years, it is much more convenient for them to simply give the information away.

        • catloaf@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          3 days ago

          Seems even worse for them to know and to have malicious actors know as well. Effectively creating a zero-day is not a good thing.