Trying to understand what's the real damage here. Dates of birth, Email addresses, Loyalty program details, Names, Phone numbers - how is one going to use this data to cause a loss the data owner? If any security check depends on this data by considering it as a secret, then I guess it's the fault of that security check.
>> If any security check depends on this data by considering it as a secret, then I guess it's the fault of that security check.
That is very small solace when you're the victim, regardless of the failures of others. "But you shouldn't be using that data as validation!" is not the first response when say, you find out someone's opened a credit card in your name with a $20K balance. Or your friends & family get phished (especially with the help of AI) because they know so much about you it had to be you.
> how is one going to use this data to cause a loss the data owner?
1 email to my sister going "I have hacked into your computer and know xyz I'll spill your secrets unless you pay" was enough to make her freak out. It's all stuff that can be obtained from these leaks.
Vietnam is particularly bad with breaches. For like 25 cents you can send a telegram bot a phone number and it will immediately reply with DOB, ID number, Home Address, Facebook profiles, Instagram profiles. I know this because everyone gets a freebie and I tested it out.
Phishing, scams and social engineering mostly. Such breaches are a gold mine for that.
Scam calls are a lot more credible when rather than starting with "Hello, this is Microsoft calling. There is a problem with your computer." you get a call like:
"Hello Mr. zkmon,
this is Mallory from MasterCard. I'm calling to verify a recent, suspicious transaction from your card to Vietnam Airlines on August 6th. We just want to make sure that was you and your card is not being misused. Before we do that can we please quickly verify your identity? I see here in our system that you're born in 1996. Can you please tell me your exact birth date so I can be sure I'm really talking to Mr. zkmon?"
Bonus points when the breach contains what bank you are at so they can pretend to be them.
Also such databreaches are useful for stalking people or tracking people down with very little information and then doxing them etc. Say all you have is an online username of someone you don't like, so you just search a database of leaks for that string. From there you get an email address and full name. And from there you can continue searching other breaches with those details and using other public sources.
Testing some emails in haveibeenpwned i realized something terrible about these leaks.
In isolation, ok, you have just your personal data like birthdate, name, phone number leaked just based on an email.
But now that there was so many leaks, just taking a single email, you can easily map an important part of the profile of a person.
Give me an email, I now have:
- All identification details, sometimes scanned id documents
- linkedin details about the professional details of a person, which company when, ...
- Even without the clear official address, you can have an average estimation of where the person live by looking at the countries or location of breached companies.
- I can see with leak of big and small retailers like CostCo where the person is doing is shopping. Sometimes it can be worse for specialized retailers, like knowing that you might be vegetarian, or like buying electronic products.
- With telecom providers breachs, you know the internet and mobile provider of a person, you can also discover that the person has multiple phone and mobile lines.
- With leaks of forum and so, you can see if a user is into specific topics.
- With things like leaks of airline providers like that, you can know if the person is a frequent flyers, might be a frequent visitor of some countries or area of the world as companies are often highly linked with their HQ country base.
- You might also know that a person is frequently living in another place/country than its official residence
...
Vietnam is particularly bad with breaches. For about 25 cents you can send a telegram bot a phone number and it will immediately reply with DOB, ID number, Home Address, Facebook profiles, Instagram profiles. I know this because everyone gets a freebie and I tested it out. For most twenty-somethings people's home address in the leaks are their parents home in the countryside. It's a security nightmare for any girl, especially when they leave parcels containing name & phone number in the mailrooms of condo towers.
I think technically the CAN-SPAM act applies to an international company with any US customers, but in practice no company primarily in another country cares about that US law.
Maybe if the US was willing to perform an air strike on each business that violated CAN-SPAM we'd get some real compliance.
Can't think of an airline I'd be less surprised to hear this about.
Vietnam Airlines once somehow managed to email me the boarding pass of another person due to fly with them the following day. I'd provided an email address to their sales agent when booking a flight on a different route some nine years earlier (back in the good old days of 2009 when they didn't have newfangled stuff like online booking), and didn't even have a remotely similar name to the individual whose boarding pass they'd sent me. I hope they didn't miss their flight! (yes, I emailed back, copying in some customer service addresses that definitely weren't no-reply...)
I'm not an expert in airline PSS systems, but I know one thing - that isn't supposed to happen :)
Given how willing basically every major company is to sell your data to make money this is basically already the case and has been for years.
And when governments try to plug up some of the loopholes when it comes to privacy and data sharing, every major company finds some new gap to exploit or just does it illegally without telling anybody until they get found out and pay the fine.
Haven't heard a word from Vietnam Airlines - my whole family are members. Interesting to see how a Vietnamese organisation handles this type of incident.
Using email alias for per account helps avoid tying your details across websites works pretty well as long as phone number is not associated with said account.
Also helps in tracking misbehaving websites that sells/leaks your emails or subject your email with excessive spam. I recall Stack Social is one of the worst offenders.
zkmon|4 months ago
skeeter2020|4 months ago
That is very small solace when you're the victim, regardless of the failures of others. "But you shouldn't be using that data as validation!" is not the first response when say, you find out someone's opened a credit card in your name with a $20K balance. Or your friends & family get phished (especially with the help of AI) because they know so much about you it had to be you.
brightbeige|4 months ago
https://en.wikipedia.org/wiki/Phishing#Spear_phishing
flotzam|4 months ago
> Dates of birth, Email addresses, Loyalty program details, Names, Phone numbers
JCharante|4 months ago
1 email to my sister going "I have hacked into your computer and know xyz I'll spill your secrets unless you pay" was enough to make her freak out. It's all stuff that can be obtained from these leaks.
Vietnam is particularly bad with breaches. For like 25 cents you can send a telegram bot a phone number and it will immediately reply with DOB, ID number, Home Address, Facebook profiles, Instagram profiles. I know this because everyone gets a freebie and I tested it out.
basilikum|4 months ago
Scam calls are a lot more credible when rather than starting with "Hello, this is Microsoft calling. There is a problem with your computer." you get a call like:
"Hello Mr. zkmon, this is Mallory from MasterCard. I'm calling to verify a recent, suspicious transaction from your card to Vietnam Airlines on August 6th. We just want to make sure that was you and your card is not being misused. Before we do that can we please quickly verify your identity? I see here in our system that you're born in 1996. Can you please tell me your exact birth date so I can be sure I'm really talking to Mr. zkmon?"
Bonus points when the breach contains what bank you are at so they can pretend to be them.
Also such databreaches are useful for stalking people or tracking people down with very little information and then doxing them etc. Say all you have is an online username of someone you don't like, so you just search a database of leaks for that string. From there you get an email address and full name. And from there you can continue searching other breaches with those details and using other public sources.
unknown|4 months ago
[deleted]
ceejayoz|4 months ago
greatgib|4 months ago
In isolation, ok, you have just your personal data like birthdate, name, phone number leaked just based on an email.
But now that there was so many leaks, just taking a single email, you can easily map an important part of the profile of a person. Give me an email, I now have: - All identification details, sometimes scanned id documents - linkedin details about the professional details of a person, which company when, ... - Even without the clear official address, you can have an average estimation of where the person live by looking at the countries or location of breached companies. - I can see with leak of big and small retailers like CostCo where the person is doing is shopping. Sometimes it can be worse for specialized retailers, like knowing that you might be vegetarian, or like buying electronic products. - With telecom providers breachs, you know the internet and mobile provider of a person, you can also discover that the person has multiple phone and mobile lines. - With leaks of forum and so, you can see if a user is into specific topics. - With things like leaks of airline providers like that, you can know if the person is a frequent flyers, might be a frequent visitor of some countries or area of the world as companies are often highly linked with their HQ country base. - You might also know that a person is frequently living in another place/country than its official residence ...
JCharante|4 months ago
derwiki|4 months ago
unknown|4 months ago
[deleted]
mustaphah|4 months ago
And now, my data is open-source ಠ_ಠ
TheDong|4 months ago
Maybe if the US was willing to perform an air strike on each business that violated CAN-SPAM we'd get some real compliance.
notahacker|4 months ago
Vietnam Airlines once somehow managed to email me the boarding pass of another person due to fly with them the following day. I'd provided an email address to their sales agent when booking a flight on a different route some nine years earlier (back in the good old days of 2009 when they didn't have newfangled stuff like online booking), and didn't even have a remotely similar name to the individual whose boarding pass they'd sent me. I hope they didn't miss their flight! (yes, I emailed back, copying in some customer service addresses that definitely weren't no-reply...)
I'm not an expert in airline PSS systems, but I know one thing - that isn't supposed to happen :)
tom1337|4 months ago
Jcampuzano2|4 months ago
And when governments try to plug up some of the loopholes when it comes to privacy and data sharing, every major company finds some new gap to exploit or just does it illegally without telling anybody until they get found out and pay the fine.
naedish|4 months ago
nerdponx|4 months ago
8cvor6j844qw_d6|4 months ago
Also helps in tracking misbehaving websites that sells/leaks your emails or subject your email with excessive spam. I recall Stack Social is one of the worst offenders.
unknown|4 months ago
[deleted]
andrewinardeer|4 months ago
For those that don't know, Qantas stands for Queensland and Northern Territory Airline Service.