Why Does Matomo Email Login Credentials as Plain Text?

I chose Matomo out of privacy concerns.

The first thing you do is email me login credentials in plain text.

I thought, “well, maybe they’ll just make me change it as soon as I login…”

Nope. Not even a notice to change at the top of the page after logging in.

Your product is cloud hosted data collection. This is totally unacceptable and very dangerous. Will be staying away from Matomo.

You know, you can always host Matomo for yourself, having full control over everything.

Maybe I misunderstood the self-host setup—the server running the site I need analytics on is shared, so I don’t have access to install Matomo there. But I could run it on my own server, and still track on a sites hosted elsewhere?

Nonetheless- Sending plain text passwords is insane.


Indeed, there should at least be a forced password reset after the login. You are talking about an account on the InnoCraft cloud, are you?

1 Like

Hi there,

Thank you for the feedback, we take security seriously and we are already planning to improve this in the near future, where all users will be forced to change their password on login. If you have any other suggestion, please email the Cloud support team directly.
Have a great day,

we take security seriously

Honestly, I don’t think you should be stating that right now with such blatant evidence to the alternative. You’re sending passwords in plain text without even the slightest hint the user should change it.

If you care about security, signups would be discontinued until this is fixed and (secure) password resets would be required for all afterwards. Every one of your cloud users—and the data of all of their customers—is potentially compromised right now.

No it is not, this is only the case if some of the used mailservers are not trusted.

It’s October 2020 and still the debug log reveals all the passwords of all users! This should never be possible!

Hi @Thomas_Oliver_Moll,

Can you please contact us security@matomo.org and explain in further details what the security issue is exactly. In no cases Matomo should log the passwords of users anywhere.

I can confirm that even in 2022 the email´s were sent in plain text!!!
Matomo system check show´s everything ok! What could be wrong?