Private variables from solidity are usually not so private as they are expected. Value of a private variable can be read out by someone running a full client node and having a javascript console. As an example, considering the following private variable of a contract:
contract PrivateContract {
string private Password = "MyPassword123";
constructor() public {
}
}
By knowing the contract address and running a full node on the Ethereum network, you can easily read out the value of the private variable, like with:
web3.eth.getStorageAt(contractAddress, 0)
which results the following hex value:
'0x4d7950617373776f72643132330000000000000000000000000000000000001a'
after encoding:
MyPassword123
So the message is simple, do not store private information in private variables on the blockchain, because it is not really private !
