I can't believe this isn't a bigger story. When I read this Bloody Elbow link: The dangers of using UFC's Fight Pass I was surprised. People have been mentioning how this site seems like it's just not ready, but I didn't realize just how not ready it was.
I've been using UFC.TV for a while to watch UFC PPV events because I don't have cable. It generally works well and the streaming quality is good. But I was always a bit uneasy about them storing my credit card information, which I generally prefer to type in every time.
I'm not a security expert, but I have been involved in projects with security concerns similar to UFC.TV. I'm basing these opinions on my experience and the presumed fact that the UFC.tv staff can send you your password if you forget it, which I have not verified myself.
I think the concerns expressed in the Bloody Elbow article are very valid. If a hacker or an insider gets access to the UFC.tv database then they'll likely have access to everything.
Even if they've encrypted their passwords, the fact that someone can decrypt and send that password to you is evidence that they are stored in a reversible format. That's bad. It means that even though the passwords are encrypted, it's likely that if you crack 1 password you then have the key to get all the rest, or if an insider releases the key then again, all the passwords are likely to be easy to get.
A better method is using hashed (+salted) passwords. Hashes are cryptographic functions that are not inherently reversible; they can be used to prove that you know your password, but knowing the hash does not compromise your password.
More importantly even if a hacker "cracks" a password hash that means they have only one password; the long cracking process must be repeated for each and every password in the database. And it's also likely that the "crack" only yields a value that works as your password, not your password itself, and therefore cannot be used to compromise your account on another site where you used the same password.
I have no inside knowledge whatsoever, but it seems plausible to me that the site followed equally weak protections for the credit card information. Even if encrypted it seems likely that the crack of one password (or an insider releasing a key) compromises everything.
If I had known that an admin can email me my password I would have never signed up for UFC.tv. I really hope that the UFC responds to this; I really like watching PPV events online with UFC.tv and I like the fight library (particularly if they improve the interface and search). It seems inexcusable that the UFC can continue the front-and-center global launch of fightpass without addressing these concerns.