WingNews logo WingNews GitHub [2]
top | item 21121350

Engineer admits hacking Yahoo accounts searching for images

113 points| prostoalex | 6 years ago |ktvu.com | reply

95 comments

order
[+] raz32dust|6 years ago|reply
End-to-end encryption is the only foolproof was of preventing this. But if that is not possible, training and audit/alerts is the next best thing.

Training is important because new employees or new college grads might not be aware of truly how egregious it is to view someone's personal data. It really had to be drilled into the culture. By audits and alerts, I mean that if one employee accesses sensitive information, they know that other teammates are getting an alert about it. People do such things when they think nobody will know.

[+] oyebenny|6 years ago|reply
I'd actually love to have this implemented client side - i.e if an employee views accesses your info, the client gets an alert.
[+] JazzXP|6 years ago|reply
The fact he was able to usually means something is lacking in the backend security. Yes, bad employee, but more encryption and security models are required. Back when I was working on share trading software, this was one of our requirements of the system.
[+] alfiedotwtf|6 years ago|reply
Encryption, in email? lol...

This is what happens when end-to-end encryption isn't the default in communications software. All email providers are vulnerable to this bar none.

[+] Trias11|6 years ago|reply
Banks routinely hire hit-n-run contractors to manage systems will low level, uncontrolled, unaudited access to mind boggling resources and eye popping access to private customers info.

Email porn? Child play.

[+] hos234|6 years ago|reply
Not just contractors. In most parts of the world there will be a 20 year old, with 3 months of "security training" paid less than $1000 a month, running around the data center with keys to the castle.
[+] d-d|6 years ago|reply
Everything has to get decrypted at some point, right? I try not to think about what would happen if a Google employee decided to leak everyone's search history.
[+] tennessee5|6 years ago|reply
Chris Putnam, who used to work at Facebook, did almost exactly the same thing with videos.
[+] glandium|6 years ago|reply
Wait, what? I knew the part where he wormed Facebook and eventually got hired, but I didn't know that. Do you have a source? I only was able to find the part I already know about.
[+] xenihn|6 years ago|reply
Holy shit, that's a name I haven't seen in forever. I remember gbs.tv and SA secret santa.
[+] raxxorrax|6 years ago|reply
This is probably a common occurrence in the industry, especially at companies that make money with user data. This is at the core of the issue why the recommendation has always been to minimize data exposure from industry experts.

Even if end-to-end encryption would be applied, there will never be 100% security from administrators and developers. You cannot even reasonably audit these systems with current technologies.

And yes, protected HR and user information will regularly leak into IT departments. If the latter is outsourced to third parties, this means data leaks galore.

[+] SteveNuts|6 years ago|reply
I truly don't understand how Yahoo still exists. How have they survived this long?
[+] tempsy|6 years ago|reply
The updated Yahoo Finance app is really slick, actually.

It actually makes me wonder WTF happened to Google Finance? Why did they essentially abandon it? Charts just show up at the top of the results page but there's no dedicated site anymore.

[+] taftster|6 years ago|reply
Fantasy football, NCAA Men's Basketball tournament, and maybe finance.yahoo.com is about it.
[+] journalctl|6 years ago|reply
What other service am I supposed to use as a permanent throwaway email account?
[+] throwaway13000|6 years ago|reply
When was the last time you changed your email address?
[+] marsrover|6 years ago|reply
All the great logos they design keep them in business.
[+] ycombonator|6 years ago|reply

[deleted]

[+] dehrmann|6 years ago|reply
I'm starting am engineering job at a FAANG in a few weeks. They already had me sign something agreeing to not do anything with the data of someone I know in the course of my work, told me access is monitored, not to make actual changes to people's accounts because hacking isn't distinguishable from admin changes by users, if something accidentally happens, notify a specific group so they can reach out to the user.

It feels like they take privacy really seriously, but at the end of the day, yes, employees do have access to your data, so before giving any company your unencrypted data, think hard about it.

[+] xenadu02|6 years ago|reply
Fun story: A GitHub employee renamed my user account because his buddy wanted the name. Nothing was ever done about it.
[+] jrockway|6 years ago|reply
Do you have any more details about this?
[+] andykx|6 years ago|reply
I strongly doubt that Google harbors any negative feelings for you specifically. Do you have any concrete evidence for your claim?
[+] lonelappde|6 years ago|reply
How do you know it was an inside job?
[+] spedru|6 years ago|reply
It's sobering to think about this in tandem with the fact that people in the IQ bracket for “engineer” tend to get away with crimes. Honestly, though, at least this can be turned into a concrete example to shoot down “if you don't have anything to hide...” and the like. The banal, lascivious panopticon elicits a real disgust response that might be moving, as opposed to the “shut up you alex jones weirdo” that sticks to talk of the NSA no matter how many Snowdens happen.
[+] smt88|6 years ago|reply
Let me try to rephrase this in a simpler way:

This is even more troubling because smart people are less likely to be caught.

At least, like Snowden's leaks, this is proof that privacy extremists aren't conspiracy nuts, and hopefully it will open a few eyes to the real danger of giving up privacy.

Other comments are right: stop using big words and write plain sentences.

[+] duxup|6 years ago|reply
Just for the sake of feedback, I found your post confusing.

It's not really clear to me what you are saying exactly.