It says the company claimed that the credential leak was discovered and remediated 18 months ago, meanwhile the leaked credentials were still working as of a month ago.
Is this level of governance and sophistication really typical of vendors in this space? Sprawling enterprises I can imagine losing track of the odd place or two where the credentials are used, but a vendor who only does one thing, specifically a high-trust thing like this?
Even if they don’t have the wherewithal to be thorough in-house, am I confused to imagine that such a firm would have to carry insurance, which would tend to bring in specialists to make sure this kind of remediation is done right?
Its not a high-trust thing, these vendors exist largely because it gives the organizations with direct relations with consumers a step of removal when a breach occurs; they are blame-outsourcing firms.
Sure, but companies also don’t want to deal with building the system themselves (especially if you want to support multiple countries) and dealing with potentially doing something wrong like violating anti-discrimination laws.
Why are they keeping a copy is what I’d like to know. It’s enough to know they check it, and verified it, so then they can delete it. Why keep copies at all ??or at least blank out critical parts that aren’t public knowledge. This is so stupid.
Retention policies are likely set by the client. That’s how it works with the vendors I’ve worked with in this space, but I haven’t worked with this specific vendor.
If you need to check someone's government ID, you probably expect to have to go to court or otherwise deal with the government over it at some point. Being able to show why you thought it was someone, not simply that you thought it was someone, is important.
> but a vendor who only does one thing, specifically a high-trust thing like this?
They’re not in the business of being trustworthy or secure, it’s just another software shop trying to grow product.
> which would tend to bring in specialists to make sure this kind of remediation is done right?
Ideally, sure. In reality an insurance company has many thousands of customers, they can’t possibly do any real assurance beyond basic compliance. Managing access and credentials is a hard problem for well staffed security teams, let alone a single compliance auditor.
Uber wouldn’t delete my data when I demanded them to, they just hung up on me rudely. I escalated to the CEO and they sent me this message explaining why and assuring my fears of a data leak were “unfounded”:
Maribel again with Uber Support. Thank you for your patience while I took a further look at the deletion request. Unfortunately, we are unable to delete all of your information on the account due to security measures. Please visit our Privacy Notice for more details, specifically the sections titled E. Data retention and deletion. As of May 12, 2024, your account was marked for deletion. Keep in mind that deleting your driver account is permanent and will automatically delete your rider account as well. Any credits associated with your accounts will be lost.
Additionally, I want to emphasize that we have strict security measures on the platform to ensure that your personal information and your safety are secured.
Your understanding is appreciated.
I genuinely think it should be a legal liability to make a claim such as "we have strict security measures on the platform to ensure that your personal information and your safety are secured."
First, because they're probably just outright lying to imply they're taking security as a paramount priority. They're likely following minimal guidelines to cover their own asses legally.
Second, because it's physically impossible for them to guarantee data security. It's like making a promise to a child that they're never going to die. A security breach is a matter of probability, not a door you can close and forget about. A society that allows companies to make absolute assurances about security at all is endangering itself. But it also means that levels of security and due diligence are difficult to quantify because we don't even conceive of it as a probabilistic issue.
(I also just watched the new Ashley Madison doc and it's really sticking with me that they made up fake certificates of security while putting virtually no effort into the real thing, and actively chose to play chicken with their users' data when they had the option of closing up shop - an extraordinarily clear case of being blinded by greed, especially as the payout was obviously forfeit if the hackers followed through. Both of these choices should have legally put much of the blame for the fallout and suicides on the CEO.)
GDPR allows retaining any information necessary for complying with legal requirements (e.g. taxes). But that exception is to be interpreted as narrowly as possible.
A website I went to had a delete my data link. I wondered what would happen if I put I was in Europe even though the website doesn’t cater to non-USA users. They still told me they would not be deleting my data because they had to keep records for x number of years due to legal requirements such as law enforcement and financial reporting.
Any company that operates a federated service in EU cannot possibly comply with GDPR, so I'm sure there are companies who never really delete the data you requested.
Of course they leaked the data. Any seasoned techie could've seen that coming from the start.
One of these days, some seasoned and principled lawyer, who knows a bit about tech, is going to get ticked off, and decide to make one of these companies truly pay for their gross negligence.
Then, gazing at the obliterated company, other companies will try to get legislation to let them let them off the hook, but some of those companies will decide the party of recklessness is probably over, and that they need to start acting responsibly and competently.
There should be nothing to leak. The record of verification should be a signature saying what was verified and how and when and nothing about the underlying documents/images/data off of which the verification was based.
That is needlessly complicated. The problem is the US federal government does not provide identity verification API as an infrastructure service. And they easily could using the USPS’s physical locations and their workflow in processing US passport applications, which already involves identity verification.
Or even just coordinating the 50 states’ motor vehicle commissions or whatever since they are also verifying identities to issue drivers’ licenses and state identification cards.
Are you suggesting that bulk-buying a year of Experian credit report access for the few people who haven't already won a subscription from some other leak isn't a consequence? Or that being able to see your own credit report isn't compensation enough? Heresy!
For various reasons I started to open a bank account with Mercury, before deciding to use another provider.
When I said I'd no longer be finishing the application and to please delete my passport info, first they ignored the second part.
When I replied again asking them to delete my data they replied about KYC laws and assured me the data was securely stored of course.
At that point I gave up. Maybe they could delete the data if I fought, maybe their hands were tied, maybe me fighting would end up flagging my info as a money laundering risk. But I immediately imagined exactly this leak happening.
They're not the only vendor affected that had my data, nor is this breach the first, but that's the one that stings the most.
Anecdotally I'm being swarmed by text message spam for the first time in months. I have to assume people are running through new breach data to find live numbers.
"One of these days, some seasoned and principled lawyer, who knows a bit about tech, is going to get ticked off, and decide to make one of these companies truly pay for their gross negligence."
Principled lawyer who knows about tech here: This won't happen.
1. It's probably not gross negligence - gross negligence is an extreme departure from ordinary standards of care - the ordinary standard here seems to be to suck at security :)
Legislation could establish a standard of care here and make this kind of thing gross negligence, but that hasn't really happened yet.
It's also not obvious they owe a duty of care to anyone in the first place, without which negligence is impossible (at least regular old negligence) - this also needs legislative fixing unless you want to end up arguing about it forever.
2. Damages are basically all speculative - what is your actual injury here, and how much can you prove the value of it.
Lots of people on HN love to say how much X or Y is worth. What can you actually prove in terms of real loss?
It's fun to argue speculative loss (ie the value of your personal information maybe being stolen in the future, etc), but most cases are about real loss.
In practice where it's too hard to calculate we often end up with statutorily set damages. That also hasn't happened here.
Sorry to burst your bubble - without a bunch of legislation here, nothing is going to happen outside of the regular old class action lawsuits and $5 coupons.
> 1. It's probably not gross negligence - gross negligence is an extreme departure from ordinary standards of care - the ordinary standard here seems to be to suck at security :)
how hard it is to find a single company which does it right to testify? and then defense would have to find experts and several other legal counsels from similarly sized companies willing to testify that they also "do it wrong as a norm", with the extremely high risk of being included in the malpratice claim if the defense fails.
I mean, if you live forever and cannot die by any means, your odds of getting stuck somewhere approaches 100% (fall in a pit, landslide, fall overboard on a boat, stuck in the sun, lost in space, etc).
I imagine it is the same for data. The longer it is available, the more likelihood of it getting out of the company.
> make one of these companies truly pay for their gross negligence.
I think our whole industry is rotten and we need to drastically rethink a lot of what we do. This is unacceptable and it shouldn't be this hard. We need a reckoning.
We might, but until average person does not consider it an issue ( and Equifax breach[2] proved it is merely cost of doing business[1] -- ~400 million out of $3,362 million profit in 2017 ), it will not be an issue. I am annoyed, but I have been annoyed for a long time. I am just waiting for the rest of the non-technical people to catch up, because it eventually should. But then... I am an optimist.
It's kinda impossible to give out DL, SSN, etc to so many companies and not have it leak. If these theoretical lawsuits scared companies enough, they might pay some centralized third party to handle the verification for them, but bad things follow from that.
The federal and state governments hand out these IDs in the first place. Shouldn't they be the ones to verify them?
Honestly, I hope Ron Wyden (I think his name is, US politician) takes this up - he has previously done excellent work calling companies to be accountable for such invasive and insecure practices
Problem is, "Evil Hackers" always get the blame rather than the negligent companies, who play the victims. They trot out all the usual flawed analogies about locked doors and burglars, to excuse their negligence, and it works! So, the only legislation we ever see is to be Tougher And Tougher On Hackers instead of holding these clown companies responsible for the data they act as custodians of.
For negligence to arise there must be, inter Alia, duty and proximate harm. I think you’ll find the identity services have a duty to their contractual partner, the website, but not to the victim whose identity was stolen. And there’s a circuit split as to whether any of these people were even harmed.
While litigation seems appealing, the answer here is legislation.
Sometimes there's probably negligence involved; sometimes not. You don't know without having access to the specifics. Always blaming "negligent companies" is just as wrong as always blaming "evil hackers".
1. Develop features at any cost, over-collect data, neglect security
2. Hacker gets in, pick the entirety of the data made readily available, credit card numbers, social security numbers, prod credentials, sexual orientation predictions that the company made on their customers for some reason, all of the pay history of the company, instagram creds of the ceo's girlfriend, and takes a dump in their bathroom
3. Try to shush the story
4. It gets exposed by an independent journalist in Kazakhstan who just reads /r/leaks
5. "we recently discovered that a malicious individual got access to a few logs on a random test server. Oops! So far we didn't find proof that it was used. Rest assured that security is our utmost priority. We love security here at ACME corp. Our teams have matching 'security' shirts, and every thursday we pray to Glombo, the security god. As a gesture to our customers we offer everyone a free 2 week trial of our 'security+' package ($15.99/M after trial, don't forget to cancel). Once again, sleep well knowing your data is safe with us!".
6. 6 months later the security gap is half plugged by an intern developing a novel password management system that encrypts passwords in base64
I hate to critique such a fine piece of work as your comment, yet I must add a 5.a) as an option taken by especially high-quality Profit corps: Blaming their customers for the leak (e.g. 23andMe).
Wow, look at that list of clients: eToro, Coinbase, Payoneer [1].
Is there any way to determine if your information was leaked? The driver's license picture should qualify as biometric information under some states' laws [2].
Until pretty recently drivers license ID numbers in many states were effectively public, and if your license was issued at least 10 years ago, it probably still is.
Nope. It was pretty common to have them and/or your SSN printed on your personal checks, and if they weren't, the merchants would often ask to see ID and write the numbers on the check themselves.
This all feels like some Orwellian nightmare to me. Things like TikTok and X shouldn't require any ID verification in my mind; the rest of this fiasco just underscores all the other reasons why this is a bad idea.
Neither should Uber. I never needed to show ID to hail a cab. You just stood at the corner and waived your arm. Are we talking about Uber drivers here? That makes some sense. But passengers? (I don't know, I don't use Uber).
Drivers are background checked but honestly they probably get more abuse and attacks than passengers. After all there's no accountability on riders but there is accountability on the drivers.
The thing with all these leaks is that ID's are rapidly becoming worth less and less for the sake of actually proving your identity. Part of me believes a lot of this is intentional to try force people into using bio-metric ID like iris scans or finger prints to verify, since physical ID's are so widely leaked and so thoroughly distributed to criminals that they're no longer trustworthy documents.
I agree wholeheartedly, and I'm going to go a bit further...
I think that I'm either out-of-touch or far enough outside the bubble to be able to provide an objective viewpoint, but:
Needing to verify government issued ID to create an account for high-in-the-clouds pure "lifestyle" services such as Twitter and TikTok? Fuck me, is this how far we've come? Is this the destination anyone actually wanted to reach?
> Is this the destination anyone actually wanted to reach?
The services you register at love to ID you. Government pretents it tries to protect minors, but I simply do not believe them. And if so, this certainly would not be the way, on the contrary, they expose them to additional threats.
Didn't X switch to Stripe already? There was a huge uproar over people protesting Palestine being concerned about having their ID (with home address), biometrics (which they admitted to collecting), and other info to a company with such direct ties to Israel.
I don't know about this company specifically, but I know it's common for the government to essentially act as an incubator for tech companies, so the concerns probably weren't unwarranted.
I guess even with the switch, some people probably verified prior so it likely has some impact on X still -- and maybe this is actually what moved the needle internally, since the users were calling it out as a concern for quite some time.
I had no clue uber and tiktok used them though, so that's good to know - thankfully I haven't given them my biometrics as of yet.
Oh wow didn’t know that stripe has Israeli ties. Thanks for the heads up—I’ll try to shop around for a more ethical alternative. May not be able to though—launch is imminent!
So you commented without verifying the fact was true? And it turns out it isn’t.
Slow down. Don’t trust vague statements that don’t cite sources. Look for the nuance in the situation. Be curious and try to learn, don’t just follow the crowd.
Also, it’s fucking weird to me to assume that all Israeli private businesses are unethical. Sure, there’s probably some. Sure, their tax dollars are fungible with the government actions you consider unethical.
But aren’t you penalizing the secular tech entrepreneurs of Israel by divesting from anything related to the country? These are the same demographic that spent every weekend for most of 2023 protesting their own government’s attempt to become more subservient to the Netanyahu coalition.
Readit News
Is this level of governance and sophistication really typical of vendors in this space? Sprawling enterprises I can imagine losing track of the odd place or two where the credentials are used, but a vendor who only does one thing, specifically a high-trust thing like this?
Even if they don’t have the wherewithal to be thorough in-house, am I confused to imagine that such a firm would have to carry insurance, which would tend to bring in specialists to make sure this kind of remediation is done right?
They’re not in the business of being trustworthy or secure, it’s just another software shop trying to grow product.
> which would tend to bring in specialists to make sure this kind of remediation is done right?
Ideally, sure. In reality an insurance company has many thousands of customers, they can’t possibly do any real assurance beyond basic compliance. Managing access and credentials is a hard problem for well staffed security teams, let alone a single compliance auditor.
Deleted Comment
Maribel again with Uber Support. Thank you for your patience while I took a further look at the deletion request. Unfortunately, we are unable to delete all of your information on the account due to security measures. Please visit our Privacy Notice for more details, specifically the sections titled E. Data retention and deletion. As of May 12, 2024, your account was marked for deletion. Keep in mind that deleting your driver account is permanent and will automatically delete your rider account as well. Any credits associated with your accounts will be lost. Additionally, I want to emphasize that we have strict security measures on the platform to ensure that your personal information and your safety are secured. Your understanding is appreciated.
First, because they're probably just outright lying to imply they're taking security as a paramount priority. They're likely following minimal guidelines to cover their own asses legally.
Second, because it's physically impossible for them to guarantee data security. It's like making a promise to a child that they're never going to die. A security breach is a matter of probability, not a door you can close and forget about. A society that allows companies to make absolute assurances about security at all is endangering itself. But it also means that levels of security and due diligence are difficult to quantify because we don't even conceive of it as a probabilistic issue.
(I also just watched the new Ashley Madison doc and it's really sticking with me that they made up fake certificates of security while putting virtually no effort into the real thing, and actively chose to play chicken with their users' data when they had the option of closing up shop - an extraordinarily clear case of being blinded by greed, especially as the payout was obviously forfeit if the hackers followed through. Both of these choices should have legally put much of the blame for the fallout and suicides on the CEO.)
One of these days, some seasoned and principled lawyer, who knows a bit about tech, is going to get ticked off, and decide to make one of these companies truly pay for their gross negligence.
Then, gazing at the obliterated company, other companies will try to get legislation to let them let them off the hook, but some of those companies will decide the party of recklessness is probably over, and that they need to start acting responsibly and competently.
Or even just coordinating the 50 states’ motor vehicle commissions or whatever since they are also verifying identities to issue drivers’ licenses and state identification cards.
Zero fucks given: "None of those companies responded to multiple requests for comment from 404 Media."
/s
When I said I'd no longer be finishing the application and to please delete my passport info, first they ignored the second part. When I replied again asking them to delete my data they replied about KYC laws and assured me the data was securely stored of course.
At that point I gave up. Maybe they could delete the data if I fought, maybe their hands were tied, maybe me fighting would end up flagging my info as a money laundering risk. But I immediately imagined exactly this leak happening.
They're not the only vendor affected that had my data, nor is this breach the first, but that's the one that stings the most.
Anecdotally I'm being swarmed by text message spam for the first time in months. I have to assume people are running through new breach data to find live numbers.
One of many, many shitty things introduced by the Patriot Act that we now just live with.
Principled lawyer who knows about tech here: This won't happen.
1. It's probably not gross negligence - gross negligence is an extreme departure from ordinary standards of care - the ordinary standard here seems to be to suck at security :)
Legislation could establish a standard of care here and make this kind of thing gross negligence, but that hasn't really happened yet.
It's also not obvious they owe a duty of care to anyone in the first place, without which negligence is impossible (at least regular old negligence) - this also needs legislative fixing unless you want to end up arguing about it forever.
2. Damages are basically all speculative - what is your actual injury here, and how much can you prove the value of it. Lots of people on HN love to say how much X or Y is worth. What can you actually prove in terms of real loss?
It's fun to argue speculative loss (ie the value of your personal information maybe being stolen in the future, etc), but most cases are about real loss.
In practice where it's too hard to calculate we often end up with statutorily set damages. That also hasn't happened here.
Sorry to burst your bubble - without a bunch of legislation here, nothing is going to happen outside of the regular old class action lawsuits and $5 coupons.
how hard it is to find a single company which does it right to testify? and then defense would have to find experts and several other legal counsels from similarly sized companies willing to testify that they also "do it wrong as a norm", with the extremely high risk of being included in the malpratice claim if the defense fails.
At this point, it's pretty safe to just assume that any personal data any company has about you will be leaked sooner or later.
I imagine it is the same for data. The longer it is available, the more likelihood of it getting out of the company.
I think our whole industry is rotten and we need to drastically rethink a lot of what we do. This is unacceptable and it shouldn't be this hard. We need a reckoning.
[1]https://www.ftc.gov/enforcement/refunds/equifax-data-breach-... [2]https://en.wikipedia.org/wiki/2017_Equifax_data_breach
The federal and state governments hand out these IDs in the first place. Shouldn't they be the ones to verify them?
Deleted Comment
While litigation seems appealing, the answer here is legislation.
1. Develop features at any cost, over-collect data, neglect security
2. Hacker gets in, pick the entirety of the data made readily available, credit card numbers, social security numbers, prod credentials, sexual orientation predictions that the company made on their customers for some reason, all of the pay history of the company, instagram creds of the ceo's girlfriend, and takes a dump in their bathroom
3. Try to shush the story
4. It gets exposed by an independent journalist in Kazakhstan who just reads /r/leaks
5. "we recently discovered that a malicious individual got access to a few logs on a random test server. Oops! So far we didn't find proof that it was used. Rest assured that security is our utmost priority. We love security here at ACME corp. Our teams have matching 'security' shirts, and every thursday we pray to Glombo, the security god. As a gesture to our customers we offer everyone a free 2 week trial of our 'security+' package ($15.99/M after trial, don't forget to cancel). Once again, sleep well knowing your data is safe with us!".
6. 6 months later the security gap is half plugged by an intern developing a novel password management system that encrypts passwords in base64
7. Go to 1. because no-one cares
OF COURSE IT'S THE CUSTOMER'S FAULT!
Is there any way to determine if your information was leaked? The driver's license picture should qualify as biometric information under some states' laws [2].
[1] https://www.au10tix.com
[2] https://www.huschblackwell.com/2023-state-biometric-privacy-...
The feds made sure our DL data wasn't protected.
ref: https://cyberplayground.org/2011/12/07/drivers-privacy-prote...
Florida gets hundreds of millions of dollars each year selling it's residents DL data.
ref: https://www.wftv.com/news/local/can-florida-legally-sell-you...
Companies are also incentivized to do it to prove their actual active user counts versus bots.
I think that I'm either out-of-touch or far enough outside the bubble to be able to provide an objective viewpoint, but:
Needing to verify government issued ID to create an account for high-in-the-clouds pure "lifestyle" services such as Twitter and TikTok? Fuck me, is this how far we've come? Is this the destination anyone actually wanted to reach?
The services you register at love to ID you. Government pretents it tries to protect minors, but I simply do not believe them. And if so, this certainly would not be the way, on the contrary, they expose them to additional threats.
I don't know about this company specifically, but I know it's common for the government to essentially act as an incubator for tech companies, so the concerns probably weren't unwarranted.
I guess even with the switch, some people probably verified prior so it likely has some impact on X still -- and maybe this is actually what moved the needle internally, since the users were calling it out as a concern for quite some time.
I had no clue uber and tiktok used them though, so that's good to know - thankfully I haven't given them my biometrics as of yet.
Slow down. Don’t trust vague statements that don’t cite sources. Look for the nuance in the situation. Be curious and try to learn, don’t just follow the crowd.
Also, it’s fucking weird to me to assume that all Israeli private businesses are unethical. Sure, there’s probably some. Sure, their tax dollars are fungible with the government actions you consider unethical.
But aren’t you penalizing the secular tech entrepreneurs of Israel by divesting from anything related to the country? These are the same demographic that spent every weekend for most of 2023 protesting their own government’s attempt to become more subservient to the Netanyahu coalition.
Stripe is Headquartered in US / and I believe Ireland - not Israel. Sorry for the confusion.
you misunderstood OP. He meant the previous authenticator for X was autotix which was Israeli and then they switched to Stripe which is NOT.
Dead Comment