I do it, so my site should be safe, right? Well it turns out that the answer is "wrong"!!

One of the websites that shares a webserver with my site left CustomErrors="Off" in their web.config when they deployed their site.

How does this affect me? Well, there was a problem in the machine.config on the server. That website exposed the error because it had the customerrors off which basically does a little stacktrace dump on the webpage. In the particular case, it happened to show the bad line from the machine.config. What was the bad line? It set up impersonation for 4 websites on the server, of course mine being one of them. So browsing to that other website, showed anyone going there the logins and passwords for four domains.

So, now this is not a best practice, it is a rule. There are plenty of web.config settings that should not get to production!! Pay attention. Please.