Kyle Machulis:

The problems began when it didn’t have drivers for syncing via linux. Doing what it is I do, I figured I’d whip some up real quick. This is where things when horribly, horribly wrong.

Yes, that’s a user’s email and password, unchanged and in clear text, being flung over to their website via a pure http connection. This step is also logged to the user’s hard drive in a clear text file, that is world readable.

This is bad.

Vendors who sell Quantified Self applications better start seriously thinking about security. Users want to log this data, but they also want it reasonably secure. Failing to do that could potentially set back the whole industry, which is besieged by privacy concerns this way or the other.