MelbourneIT is storing domain transfer passwords in cleartext and emailing the credentials to users without their request.
The AuthInfo passwords allow users to authorise registrars to transfer their domain names.
The security slip was spotted by a customer who had multiple emails sent to them after administrators made changes to DNS settings unrelated to AuthInfo password requests.
Storage of cleartext passwords places users at risk of their domains becoming compromised in the event of a data breach. Emailing passwords also puts the communications at risk of interception by attackers.
Emails containing cleartext passwords tend to be a good indication that the codes are also stored in human-readable format on web servers. If the credentials were stored on the server in an encrypted format, it is unlikely they could be automatically decrypted by a mailout program to be sent in cleartext.
MelbourneIT states on its policy page that it uses "128-bit crypto" on "data you input into our website".
A MelbourneIT support member said last month in a forum that .com.au domains could not be locked -- a method to prevent unauthorised domain transfers -- due to a "known issue" which was being investigated.
A spokesman for the company confirmed the storage of cleartext passwords, and said the credentials would be encrypted "within the next quarter" as part of its rollout of an identity and access management system currently in design.
Other users reported the email issue late last year.
MelbourneIT recommended "high value domain names" use a registry lock where available.
Sending passwords in cleartext is so common a misstep that a dedicated website dubbed Plain Text Offenders brims with lists of organisations that emailed human readable passwords to their users.
Co-founder of the website, Omer van Kloeten said in a post that passwords emailed to users in cleartext via a 'forgotten password' feature indicated the credentials were also stored on servers in human-readable text.
"... many people use the 'forgot password' option on sites and get their password sent back to them - a clear indication that the password is stored in plain text (or using reversible encryption, which is pretty much the same)," van Kloeten said.
"All in all - it’s not a safe thing to do and an indicator of low security standards. We use emailed passwords as proof of that."
An unconfirmed post on the website in June last year claimed the Defence Signals Directorate was among those government agencies sending cleartext passwords.
The agency was accused of sending exposed passwords for applications to its information security division.
Defence was unable to comment on the post prior to publication.