It says the company claimed that the credential leak was discovered and remediated 18 months ago, meanwhile the leaked credentials were still working as of a month ago.
Is this level of governance and sophistication really typical of vendors in this space? Sprawling enterprises I can imagine losing track of the odd place or two where the credentials are used, but a vendor who only does one thing, specifically a high-trust thing like this?
Even if they don’t have the wherewithal to be thorough in-house, am I confused to imagine that such a firm would have to carry insurance, which would tend to bring in specialists to make sure this kind of remediation is done right?
Its not a high-trust thing, these vendors exist largely because it gives the organizations with direct relations with consumers a step of removal when a breach occurs; they are blame-outsourcing firms.
Why are they keeping a copy is what I’d like to know. It’s enough to know they check it, and verified it, so then they can delete it. Why keep copies at all ??or at least blank out critical parts that aren’t public knowledge. This is so stupid.
> but a vendor who only does one thing, specifically a high-trust thing like this?
They’re not in the business of being trustworthy or secure, it’s just another software shop trying to grow product.
> which would tend to bring in specialists to make sure this kind of remediation is done right?
Ideally, sure. In reality an insurance company has many thousands of customers, they can’t possibly do any real assurance beyond basic compliance. Managing access and credentials is a hard problem for well staffed security teams, let alone a single compliance auditor.
Uber wouldn’t delete my data when I demanded them to, they just hung up on me rudely. I escalated to the CEO and they sent me this message explaining why and assuring my fears of a data leak were “unfounded”:
Maribel again with Uber Support. Thank you for your patience while I took a further look at the deletion request. Unfortunately, we are unable to delete all of your information on the account due to security measures. Please visit our Privacy Notice for more details, specifically the sections titled E. Data retention and deletion. As of May 12, 2024, your account was marked for deletion. Keep in mind that deleting your driver account is permanent and will automatically delete your rider account as well. Any credits associated with your accounts will be lost.
Additionally, I want to emphasize that we have strict security measures on the platform to ensure that your personal information and your safety are secured.
Your understanding is appreciated.
I genuinely think it should be a legal liability to make a claim such as "we have strict security measures on the platform to ensure that your personal information and your safety are secured."
First, because they're probably just outright lying to imply they're taking security as a paramount priority. They're likely following minimal guidelines to cover their own asses legally.
Second, because it's physically impossible for them to guarantee data security. It's like making a promise to a child that they're never going to die. A security breach is a matter of probability, not a door you can close and forget about. A society that allows companies to make absolute assurances about security at all is endangering itself. But it also means that levels of security and due diligence are difficult to quantify because we don't even conceive of it as a probabilistic issue.
(I also just watched the new Ashley Madison doc and it's really sticking with me that they made up fake certificates of security while putting virtually no effort into the real thing, and actively chose to play chicken with their users' data when they had the option of closing up shop - an extraordinarily clear case of being blinded by greed, especially as the payout was obviously forfeit if the hackers followed through. Both of these choices should have legally put much of the blame for the fallout and suicides on the CEO.)
Of course they leaked the data. Any seasoned techie could've seen that coming from the start.
One of these days, some seasoned and principled lawyer, who knows a bit about tech, is going to get ticked off, and decide to make one of these companies truly pay for their gross negligence.
Then, gazing at the obliterated company, other companies will try to get legislation to let them let them off the hook, but some of those companies will decide the party of recklessness is probably over, and that they need to start acting responsibly and competently.
1. Develop features at any cost, over-collect data, neglect security
2. Hacker gets in, pick the entirety of the data made readily available, credit card numbers, social security numbers, prod credentials, sexual orientation predictions that the company made on their customers for some reason, all of the pay history of the company, instagram creds of the ceo's girlfriend, and takes a dump in their bathroom
3. Try to shush the story
4. It gets exposed by an independent journalist in Kazakhstan who just reads /r/leaks
5. "we recently discovered that a malicious individual got access to a few logs on a random test server. Oops! So far we didn't find proof that it was used. Rest assured that security is our utmost priority. We love security here at ACME corp. Our teams have matching 'security' shirts, and every thursday we pray to Glombo, the security god. As a gesture to our customers we offer everyone a free 2 week trial of our 'security+' package ($15.99/M after trial, don't forget to cancel). Once again, sleep well knowing your data is safe with us!".
6. 6 months later the security gap is half plugged by an intern developing a novel password management system that encrypts passwords in base64
I hate to critique such a fine piece of work as your comment, yet I must add a 5.a) as an option taken by especially high-quality Profit corps: Blaming their customers for the leak (e.g. 23andMe).
Wow, look at that list of clients: eToro, Coinbase, Payoneer [1].
Is there any way to determine if your information was leaked? The driver's license picture should qualify as biometric information under some states' laws [2].
This all feels like some Orwellian nightmare to me. Things like TikTok and X shouldn't require any ID verification in my mind; the rest of this fiasco just underscores all the other reasons why this is a bad idea.
Neither should Uber. I never needed to show ID to hail a cab. You just stood at the corner and waived your arm. Are we talking about Uber drivers here? That makes some sense. But passengers? (I don't know, I don't use Uber).
The thing with all these leaks is that ID's are rapidly becoming worth less and less for the sake of actually proving your identity. Part of me believes a lot of this is intentional to try force people into using bio-metric ID like iris scans or finger prints to verify, since physical ID's are so widely leaked and so thoroughly distributed to criminals that they're no longer trustworthy documents.
I agree wholeheartedly, and I'm going to go a bit further...
I think that I'm either out-of-touch or far enough outside the bubble to be able to provide an objective viewpoint, but:
Needing to verify government issued ID to create an account for high-in-the-clouds pure "lifestyle" services such as Twitter and TikTok? Fuck me, is this how far we've come? Is this the destination anyone actually wanted to reach?
Didn't X switch to Stripe already? There was a huge uproar over people protesting Palestine being concerned about having their ID (with home address), biometrics (which they admitted to collecting), and other info to a company with such direct ties to Israel.
I don't know about this company specifically, but I know it's common for the government to essentially act as an incubator for tech companies, so the concerns probably weren't unwarranted.
I guess even with the switch, some people probably verified prior so it likely has some impact on X still -- and maybe this is actually what moved the needle internally, since the users were calling it out as a concern for quite some time.
I had no clue uber and tiktok used them though, so that's good to know - thankfully I haven't given them my biometrics as of yet.
You would be surprised. Banking companies / their vendors for instance will outsource to india and Poland. Some of the people in Poland are citizens of Belarus. Us customer data is all over the world (account numbers / ssn / other personal info ).
It may be stored in the us but accessed by people in lcol areas.
I sometimes think that situations like this are eventually going to lead to legally-required professional licensing for certain tasks in software development.
Obviously, not everyone who writes code needs a development license (what, I'm going to get licensed to write a blog or put up a site with fruit jokes?"), but if your business is going to involve personally-identifiable information, then you need actual engineering, and the folks that do that engineering need certification. This is a similar mechanism to how engineering licensing even started (in the US anyway), where Wyoming basically got tired of water infrastructure being built by people who didn't know what they were doing.
Licensing could also help provide individual engineers with leverage against managers or C-suite folks who want to move fast & break things. When you're in a professional class with exclusive sign-off capabilities, it's easier to be say "we have to do this right or it's my ass, back off" and should the company says "fine, you're fired", goes ahead with managing the PII, and a leak like this happens, the company's liability goes way way up. That situation overall tends to improve the leverage that skilled workers (like those who know how about database management for PII and endpoint configuration) have to do things right. There's a number of pitfalls that can happen with licensing as well, but I'd be curious to see if a push for something like this emerges over the next few years.
> Obviously, not everyone who writes code needs a development license
That's actually a very likely outcome. The startling statistic is that roughly half of professions require occupational licensing. In some places, you need licensing to become a florist. In several states, being an interior designer or a gas pump attendant requires a permit. Software engineering is an absolute outlier as far as highly-paid jobs go.
I don't think this is right, but that's the world we're living in and we should stop fooling ourselves. There's a lot of SWEs who are talking about wanting some helpful, laser-focused regulation. Well, it's coming wholesale, and a fruit joke website is not going to be exempt.
That's the dystopian situation which Richard Stallman envisioned in "Right to Read". Do not want. I'd rather have these periodic gaffs than the alternative.
Licenses of this kind would be a huge waste and if so, you would need to certify management, which likes to skimp on security. For engineers you either have special training or you accept the degree. Government cannot do much more.
And no license will give you leverage towards the c-suite.
In the optimistic case the future won't require any of this licensing because there won't be private information to steal. There are solutions for identity verification without including scans of actual documents. Maybe smartcards will come out in the US at some point.
But there are already regulations and companies with their executives are being held accountable against it. Does it matter how many badges the person designing the system is wearing if it complies with regulations and passes an audit? The problem with leaks to me looks like more of the nature of lax enforcement and few consequences when found in the wrong.
LinkedIn is badgering me to "verify" my identity using some app I've never heard every time I log on. I won't, because this will inevitably happen, and Microsoft will shrug and blame the outside company.
I had to use one of these services once after I lost the MFA app for a domain registrar when switching phones. I wouldn't be at all surprised if my driver's license has been compromised from that company's S3 bucket (or wherever they're stuffing the images) since then. Regardless I was super-annoyed to have to jump through that hoop. The subsequent emails from them pleading with me to re-enable MFA have since gone straight to the bit bucket.
I've noticed that companies are generally happy to say they use (for example) Plaid to handle your bank account details, but often bury or hide who is handling your passport details.
This is unacceptable. If you want my ID, you'd better disclose who you're sharing my ID with. And ideally give me a choice of providers.
This sounds good I guess but would be pretty annoying in practice for basically no upside for the business. I could see having 2 providers that are both randomly used so that we can continue business when one has an outage. But even then I would not be showing the option to my customers. The vast majority of users would be more confused by the options than happy about having options, and likely hurt conversion.
> While PII data was potentially accessible, based on our current findings, we see no evidence that such data has been exploited.
How is this possible, when the journalist accessed the data to confirm it contained PII?
Each day I am more and more interpreting "we see no evidence" as "we didn't really look." That way their statement can be technically correct, without divulging any evidence that might be used against them when users sue for damages.
While we complain about it a lot, more and more I have come to appreciate the Danish governments online ID solution (MitID). It's certainly not perfect, but it does allow you to do ID verification, without exposing PII to companies.
Understandably not everyone who needs to verify your identity is going to implement MitID, I can understand X not wanting to do that for the limited amount of users they have in Denmark. It's simply not worth the cost. What I don't get is why more countries doesn't have this. The US sure seem like it would benefit greatly from having a standardized, safe and secure online ID (MitID may or may not be as secure as it could be).
It's going to be fun when there's repeated incidents like this each week because every site will require your driver's license to prove you're 18 so you're allowed to post on the internet.
so that they can sell it of course. Naturally they have to claim it was leaked afterwards, but that sale is a hefty bit of cash, all for zero repercussions? if you're an amoral megacorp, its a no brainer.
Recently there was mass infringement by the Democrat politicians or government reps of our 1st Amendment rights indirectly through social media as proven by the #TwitterFiles.
The fact that these sites are now forcing users to submit to these identity disclosures simply because of some potentially fabricated rationale is really concerning.
All of that with the nonchalant attitude of these data service providers, I'm deeply concerned.
High-profile fintech partners: Mercury, Stripe, Affirm, Airwallex, Alloy, Bond (now part of FIS), Branch, Dave, EarnIn, TabaPay, and previously worked with Wise and Rho, though both have since migrated to other bank partners
[+] [-] brw|1 year ago|reply
[+] [-] alwa|1 year ago|reply
Is this level of governance and sophistication really typical of vendors in this space? Sprawling enterprises I can imagine losing track of the odd place or two where the credentials are used, but a vendor who only does one thing, specifically a high-trust thing like this?
Even if they don’t have the wherewithal to be thorough in-house, am I confused to imagine that such a firm would have to carry insurance, which would tend to bring in specialists to make sure this kind of remediation is done right?
[+] [-] dragonwriter|1 year ago|reply
[+] [-] jdp23|1 year ago|reply
[+] [-] EasyMark|1 year ago|reply
[+] [-] wepple|1 year ago|reply
They’re not in the business of being trustworthy or secure, it’s just another software shop trying to grow product.
> which would tend to bring in specialists to make sure this kind of remediation is done right?
Ideally, sure. In reality an insurance company has many thousands of customers, they can’t possibly do any real assurance beyond basic compliance. Managing access and credentials is a hard problem for well staffed security teams, let alone a single compliance auditor.
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] joshribakoff|1 year ago|reply
Maribel again with Uber Support. Thank you for your patience while I took a further look at the deletion request. Unfortunately, we are unable to delete all of your information on the account due to security measures. Please visit our Privacy Notice for more details, specifically the sections titled E. Data retention and deletion. As of May 12, 2024, your account was marked for deletion. Keep in mind that deleting your driver account is permanent and will automatically delete your rider account as well. Any credits associated with your accounts will be lost. Additionally, I want to emphasize that we have strict security measures on the platform to ensure that your personal information and your safety are secured. Your understanding is appreciated.
[+] [-] digging|1 year ago|reply
First, because they're probably just outright lying to imply they're taking security as a paramount priority. They're likely following minimal guidelines to cover their own asses legally.
Second, because it's physically impossible for them to guarantee data security. It's like making a promise to a child that they're never going to die. A security breach is a matter of probability, not a door you can close and forget about. A society that allows companies to make absolute assurances about security at all is endangering itself. But it also means that levels of security and due diligence are difficult to quantify because we don't even conceive of it as a probabilistic issue.
(I also just watched the new Ashley Madison doc and it's really sticking with me that they made up fake certificates of security while putting virtually no effort into the real thing, and actively chose to play chicken with their users' data when they had the option of closing up shop - an extraordinarily clear case of being blinded by greed, especially as the payout was obviously forfeit if the hackers followed through. Both of these choices should have legally put much of the blame for the fallout and suicides on the CEO.)
[+] [-] BiteCode_dev|1 year ago|reply
[+] [-] neilv|1 year ago|reply
One of these days, some seasoned and principled lawyer, who knows a bit about tech, is going to get ticked off, and decide to make one of these companies truly pay for their gross negligence.
Then, gazing at the obliterated company, other companies will try to get legislation to let them let them off the hook, but some of those companies will decide the party of recklessness is probably over, and that they need to start acting responsibly and competently.
[+] [-] charles_f|1 year ago|reply
1. Develop features at any cost, over-collect data, neglect security
2. Hacker gets in, pick the entirety of the data made readily available, credit card numbers, social security numbers, prod credentials, sexual orientation predictions that the company made on their customers for some reason, all of the pay history of the company, instagram creds of the ceo's girlfriend, and takes a dump in their bathroom
3. Try to shush the story
4. It gets exposed by an independent journalist in Kazakhstan who just reads /r/leaks
5. "we recently discovered that a malicious individual got access to a few logs on a random test server. Oops! So far we didn't find proof that it was used. Rest assured that security is our utmost priority. We love security here at ACME corp. Our teams have matching 'security' shirts, and every thursday we pray to Glombo, the security god. As a gesture to our customers we offer everyone a free 2 week trial of our 'security+' package ($15.99/M after trial, don't forget to cancel). Once again, sleep well knowing your data is safe with us!".
6. 6 months later the security gap is half plugged by an intern developing a novel password management system that encrypts passwords in base64
7. Go to 1. because no-one cares
[+] [-] rtaylorgarlock|1 year ago|reply
[+] [-] JumpCrisscross|1 year ago|reply
Is there any way to determine if your information was leaked? The driver's license picture should qualify as biometric information under some states' laws [2].
[1] https://www.au10tix.com
[2] https://www.huschblackwell.com/2023-state-biometric-privacy-...
[+] [-] smittywerben|1 year ago|reply
[+] [-] derbOac|1 year ago|reply
[+] [-] heavyset_go|1 year ago|reply
Companies are also incentivized to do it to prove their actual active user counts versus bots.
[+] [-] SoftTalker|1 year ago|reply
[+] [-] Grimblewald|1 year ago|reply
[+] [-] macic|1 year ago|reply
[+] [-] BLKNSLVR|1 year ago|reply
I think that I'm either out-of-touch or far enough outside the bubble to be able to provide an objective viewpoint, but:
Needing to verify government issued ID to create an account for high-in-the-clouds pure "lifestyle" services such as Twitter and TikTok? Fuck me, is this how far we've come? Is this the destination anyone actually wanted to reach?
[+] [-] astroid|1 year ago|reply
I don't know about this company specifically, but I know it's common for the government to essentially act as an incubator for tech companies, so the concerns probably weren't unwarranted.
I guess even with the switch, some people probably verified prior so it likely has some impact on X still -- and maybe this is actually what moved the needle internally, since the users were calling it out as a concern for quite some time.
I had no clue uber and tiktok used them though, so that's good to know - thankfully I haven't given them my biometrics as of yet.
[+] [-] treeFall|1 year ago|reply
[+] [-] pylua|1 year ago|reply
It may be stored in the us but accessed by people in lcol areas.
[+] [-] sundbry|1 year ago|reply
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] qchris|1 year ago|reply
Obviously, not everyone who writes code needs a development license (what, I'm going to get licensed to write a blog or put up a site with fruit jokes?"), but if your business is going to involve personally-identifiable information, then you need actual engineering, and the folks that do that engineering need certification. This is a similar mechanism to how engineering licensing even started (in the US anyway), where Wyoming basically got tired of water infrastructure being built by people who didn't know what they were doing.
Licensing could also help provide individual engineers with leverage against managers or C-suite folks who want to move fast & break things. When you're in a professional class with exclusive sign-off capabilities, it's easier to be say "we have to do this right or it's my ass, back off" and should the company says "fine, you're fired", goes ahead with managing the PII, and a leak like this happens, the company's liability goes way way up. That situation overall tends to improve the leverage that skilled workers (like those who know how about database management for PII and endpoint configuration) have to do things right. There's a number of pitfalls that can happen with licensing as well, but I'd be curious to see if a push for something like this emerges over the next few years.
[+] [-] doe_eyes|1 year ago|reply
That's actually a very likely outcome. The startling statistic is that roughly half of professions require occupational licensing. In some places, you need licensing to become a florist. In several states, being an interior designer or a gas pump attendant requires a permit. Software engineering is an absolute outlier as far as highly-paid jobs go.
I don't think this is right, but that's the world we're living in and we should stop fooling ourselves. There's a lot of SWEs who are talking about wanting some helpful, laser-focused regulation. Well, it's coming wholesale, and a fruit joke website is not going to be exempt.
[+] [-] userbinator|1 year ago|reply
[+] [-] raxxorraxor|1 year ago|reply
And no license will give you leverage towards the c-suite.
[+] [-] niij|1 year ago|reply
[+] [-] tgv|1 year ago|reply
[+] [-] crooked-v|1 year ago|reply
[+] [-] robben1234|1 year ago|reply
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] bux93|1 year ago|reply
[+] [-] steelframe|1 year ago|reply
[+] [-] diebeforei485|1 year ago|reply
This is unacceptable. If you want my ID, you'd better disclose who you're sharing my ID with. And ideally give me a choice of providers.
[+] [-] aketchum|1 year ago|reply
This sounds good I guess but would be pretty annoying in practice for basically no upside for the business. I could see having 2 providers that are both randomly used so that we can continue business when one has an outage. But even then I would not be showing the option to my customers. The vast majority of users would be more confused by the options than happy about having options, and likely hurt conversion.
[+] [-] gurchik|1 year ago|reply
How is this possible, when the journalist accessed the data to confirm it contained PII?
Each day I am more and more interpreting "we see no evidence" as "we didn't really look." That way their statement can be technically correct, without divulging any evidence that might be used against them when users sue for damages.
[+] [-] mrweasel|1 year ago|reply
Understandably not everyone who needs to verify your identity is going to implement MitID, I can understand X not wanting to do that for the limited amount of users they have in Denmark. It's simply not worth the cost. What I don't get is why more countries doesn't have this. The US sure seem like it would benefit greatly from having a standardized, safe and secure online ID (MitID may or may not be as secure as it could be).
[+] [-] dinglestepup|1 year ago|reply
They don't even have 2FA enabled for logging into such a sensitive portal?
[+] [-] asadm|1 year ago|reply
[+] [-] heavyset_go|1 year ago|reply
[+] [-] leni536|1 year ago|reply
[+] [-] Grimblewald|1 year ago|reply
[+] [-] Mindwipe|1 year ago|reply
Any service that claims otherwise is lying or will get sued to oblivion very quickly.
[+] [-] dangs-mama|1 year ago|reply
[deleted]
[+] [-] frugalmail|1 year ago|reply
The fact that these sites are now forcing users to submit to these identity disclosures simply because of some potentially fabricated rationale is really concerning.
All of that with the nonchalant attitude of these data service providers, I'm deeply concerned.
[+] [-] hanniabu|1 year ago|reply
Leaked account holder info: name & address, email, phone, unencrypted SSN/TIN, DOB, fintech platform
Leaked account info: status, type, balance, last activity, opened date, account number, daily limits