We have a critical security incident in the Identity Portal on our TEST server.
The new Module "Database Passwords" has been added to the IDP - it's for changing passwords.
If I go to the Tasks and open Developer Tools, the web service returns back the whole dataset - passwords are shown in plain text.
Release : 14.4
Customers created IM user store attributes where they stored database passwords for users.
These attributes were also added to Setup - Managed Object Attributes - User attributes.
Any attribute value that should be stored but not visible to user should be marked as sensitive in IM userstore.
In addition it may be encrypted.