Last month I blogged about a security bug in Basecamp which allows administrators to see all the users’ passwords. Yesterday, David Heinemeier Hansson commented that it has now been taken care of and fixed, which is great. It turns out I was wrong about them ignoring the issue; there was a previous, similar issue which is the one talked about on the Basecamp forums, but what I encountered was separate to that. In hindsight I should have tried to contact 37signals before ranting about it on my blog, but I guess you live and learn.