Maybe I misunderstood the self-host setup—the server running the site I need analytics on is shared, so I don’t have access to install Matomo there. But I could run it on my own server, and still track on a sites hosted elsewhere?
Nonetheless- Sending plain text passwords is insane.
Thank you for the feedback, we take security seriously and we are already planning to improve this in the near future, where all users will be forced to change their password on login. If you have any other suggestion, please email the Cloud support team directly.
Have a great day,
Honestly, I don’t think you should be stating that right now with such blatant evidence to the alternative. You’re sending passwords in plain text without even the slightest hint the user should change it.
If you care about security, signups would be discontinued until this is fixed and (secure) password resets would be required for all afterwards. Every one of your cloud users—and the data of all of their customers—is potentially compromised right now.
Can you please contact us security@matomo.org and explain in further details what the security issue is exactly. In no cases Matomo should log the passwords of users anywhere.