One of the websites I tried to use for a free PHP host was IsMyWebsite. Well, I'm glad I did, because I got to be witness to one of the most ridiculous security failings ever.
Previously I already had to complain about their passwords being passed from page to page through GET headers, they've outdone themselves. This morning I and every other IsMyWebsite user was sent an e-mail for forgotten passwords suggesting we choose just one of the accounts registered under our e-mail...which included every username and password for the site.
And in case you're wondering, the change password form doesn't work.
Wow, that sucks.