That user also found that rather than forcing ticket-holders to reset their passwords if they lost them, the system simply emailed their passwords to them in plain text, a practice that makes stealing accounts particularly easy for hackers.

But that wasn’t all. It was also discovered that the admin password for the website was “adminadmin,” and that the system left its users wide open to have their data stolen.

“After logging in,” Marai wrote in his blog post, “people were also able to get the data of other users (probably through manipulating the url, the news report was not 100% clear here).” Marai added: “To register, you have to provide your name, your address and an ID number (national id, driving license or passport).” All of those materials had the potential to be easily stolen by anyone with access to an account.

According to a Facebook post written by the teen who originally found the pricing bug, the BKK had initially responded to his email saying only that the pass he bought for $0.20 had been invalidated. Then, after stories about the bugs spread through Hungarian media, the transport authority took a different approach. The BKK, along with T-Systems Hungary, a subsidiary of Deutsche Telekom that helped build the e-ticketing system, said their systems had been repeatedly attacked by hackers, and that the teen in question had not alerted the authorities as he claimed.

“I personally feel for the young man concerned,” said a representative for T-Systems in a statement. “However, I would like to underline that under the given circumstances we had no other option but to press charges against an unknown offender (as the young man did not contact us).”

The teen, who was released from custody a few hours after he was arrested, later shared a screenshot of the email he sent to the BKK.

[protected-iframe id=”03a5831191d88d09b8e7132fc6523c82-39587363-89831834″ info=”https://www.facebook.com/plugins/post.php?href=https%3A%2F%2Fwww.facebook.com%2Fetikusbunozo%2Fposts%2F1814557618856570&width=500″ width=”500″ height=”607″ frameborder=”0″ style=”border:none;overflow:hidden” scrolling=”no”]

This is roughly what the email said, according to a Google translation:

Dear Title!
I found a security breach on their website, in the basket when I pay the price of the product (POST request) for what I want. (I got a monthly ticket for 50 Forints) I did not use the pass, my aim was clear and good. I just reported.
Regards,
[REDACTED]

In another post, the 18-year-old said wouldn’t have been able to use the ticket because, he said, “I don’t even live near Budapest.” Since his arrest was first reported, more than 47,000 users have left one-star reviews on the BKK’s Facebook page in protest.

📬 Sign up for the Daily Brief

Our free, fast, and fun briefing on the global economy, delivered every weekday morning.