l33tplaya Posted July 17, 2020 Report Share Posted July 17, 2020 This site has a few violins every so often, but somehow - link from Maestronet? - got on their distro list. Thought the following would be of interest. Sadly, this is becoming the new normal. When will companies learn to secure their databases? Note the price - just that of a not very good Juzek or dutzenware. "LiveAuctioneers disclosed a data breach after a well-known data breach broker began selling 3.4 million stolen user records on a hacker forum. BleepingComputer was told by the data broker that the database is being sold for $2,500. The breached data includes user's emails, usernames, MD5-hashed passwords, names, phone numbers, addresses, IP addresses, and social media handles. In addition to the data, the seller stated that three million of the accounts had their passwords decrypted, which were also included in the sale." Quote Link to comment Share on other sites More sharing options...
l33tplaya Posted July 17, 2020 Author Report Share Posted July 17, 2020 The link: https://www.bleepingcomputer.com/news/security/liveauctioneers-reports-data-breach-after-user-records-sold-online/ The cause: "trusted" third party partner. Of course. Irresponsible. Quote Link to comment Share on other sites More sharing options...
Violadamore Posted July 17, 2020 Report Share Posted July 17, 2020 Thanks for posting this. Not my problem, but noticed another story on BC, where Microsoft just managed to crash all their Outlook users by sending them a new virus update, thus boosting sales of open-source products. Quote Link to comment Share on other sites More sharing options...
Shelbow Posted July 17, 2020 Report Share Posted July 17, 2020 Yep shitty third parties as standard. I used to be in charge of Gdpr and data security for a year or so in a previous job. Had to deal with a few minor third party data breaches. My sister is a data security consultant. Quote Link to comment Share on other sites More sharing options...
Violadamore Posted July 18, 2020 Report Share Posted July 18, 2020 29 minutes ago, l33tplaya said: The link: https://www.bleepingcomputer.com/news/security/liveauctioneers-reports-data-breach-after-user-records-sold-online/ The cause: "trusted" third party partner. Of course. Irresponsible. 5 minutes ago, Shelbow said: Yep shitty third parties as standard. I used to be in charge of Gdpr and data security for a year or so in a previous job. Had to deal with a few minor third party data breaches. My sister is a data security consultant. Third party partner. Isn't that geek speak for "people that we sold your data to legally"? Quote Link to comment Share on other sites More sharing options...
Shelbow Posted July 18, 2020 Report Share Posted July 18, 2020 Well sometimes it's people you paid to process things or do research for you. They are not part of your company but you may have given them some access to your data in some way. They have no direct relationship with the users whose data they process but they have access for a whole multitude of reasons. A lot of breaches happen with these kind of providers. Quote Link to comment Share on other sites More sharing options...
l33tplaya Posted July 18, 2020 Author Report Share Posted July 18, 2020 (edited) 2 hours ago, Violadamore said: Third party partner. Isn't that geek speak for "people that we sold your data to legally"? You are too funny. Or prescient. Seriously, it's usually 3rd party data processors, because the requirements to process securely are too onerous for smaller or even large companies, and no one wants to deal with it properly. 3rd parties are supposed to conform to regulatory standards as well as the hiring company standards. In my experience, over half do not, which is why some of us get paid to tell them what they are doing wrong. Now we have much stricter GDPR and CCPA (California does something right), as well as tough new standards in Maine, which is the first to require opt-in of consumer information sales, vs California and Nevada, et al, which are opt out. https://www.csoonline.com/article/3429608/11-new-state-privacy-and-security-laws-explained-is-your-business-ready.html Edited July 18, 2020 by l33tplaya added link Quote Link to comment Share on other sites More sharing options...
Violadamore Posted July 18, 2020 Report Share Posted July 18, 2020 1 hour ago, Shelbow said: Well sometimes it's people you paid to process things or do research for you. They are not part of your company but you may have given them some access to your data in some way. They have no direct relationship with the users whose data they process but they have access for a whole multitude of reasons. A lot of breaches happen with these kind of providers. 17 minutes ago, l33tplaya said: You are too funny. Or prescient. Seriously, it's usually 3rd party data processors, because the requirements to process securely are too onerous for smaller or even large companies, and no one wants to deal with it properly. 3rd parties are supposed to conform to regulatory standards as well as the hiring company standards. In my experience, over half do not, which is why some of us get paid to tell them what they are doing wrong. Now we have much stricter GDPR and CCPA (California does something right), as well as tough new standards in Maine, which is the first to require opt-in of consumer information sales, vs California and Nevada, et al, which are opt out. Yup. I used to be in the business. Thank you both for your responses. I'd type something brilliantly sarcastic at this point to express my feelings about how a lot of that processing is currently done, but it would be neither wise nor productive. Quote Link to comment Share on other sites More sharing options...
L.Colburn Posted July 18, 2020 Report Share Posted July 18, 2020 I had a friend starting back in high school in the late ‘70’s, who wrote backdoors into every program he ever worked on and would periodically check to see if it was still viable. University, State Government, Payroll, Library services, security for a very large regional research museum. The FBI finally caught up with him and he went straight and became a consultant. He’s dead now but his legend lives on. Quote Link to comment Share on other sites More sharing options...
PhilipKT Posted July 18, 2020 Report Share Posted July 18, 2020 (edited) I have no idea what you’re talking about. I have an account at LiveAuctioneers, so I am assuming they got my information, but if I change my password everything should be peachy right? Actually I recall a couple of days ago I was forced to change my password and I did so. I don’t think I’ve ever bought anything on the site so they wouldn’t have my credit card information anyway. Edited July 18, 2020 by PhilipKT Quote Link to comment Share on other sites More sharing options...
jacobsaunders Posted July 18, 2020 Report Share Posted July 18, 2020 4 hours ago, PhilipKT said: Actually I recall a couple of days ago I was forced to change my password and I did so. . Your new password is JuzekPrague? Quote Link to comment Share on other sites More sharing options...
Pate Bliss Posted July 18, 2020 Report Share Posted July 18, 2020 5 hours ago, PhilipKT said: but if I change my password everything should be peachy right? unless you used the same combo at your bank. programs try the stolen user names and unencrypted passwords on every bank in the world looking for a hit Quote Link to comment Share on other sites More sharing options...
Wood Butcher Posted July 18, 2020 Report Share Posted July 18, 2020 1 hour ago, Bill Merkel said: unless you used the same combo at your bank. programs try the stolen user names and unencrypted passwords on every bank in the world looking for a hit Yes, much easier to hack low level sites with poorer, or outdated security than to go straight for financial websites. Low level sites become a soft target and are the weak link in a chain. Despite knowing it is foolish to do so, I think many still use the same passwords and ID across multiple platforms. Once the hackers have this, they can try it everywhere in seconds, and will get lucky sometimes. Quote Link to comment Share on other sites More sharing options...
Shelbow Posted July 18, 2020 Report Share Posted July 18, 2020 8 hours ago, Violadamore said: Yup. I used to be in the business. Thank you both for your responses. I'd type something brilliantly sarcastic at this point to express my feelings about how a lot of that processing is currently done, but it would be neither wise nor productive. Yes not processed securely at all in most cases sadly. I don't know about you but I'm glad that I have almost nothing to do with that kind of stuff anymore. Quote Link to comment Share on other sites More sharing options...
Wood Butcher Posted July 18, 2020 Report Share Posted July 18, 2020 1 hour ago, jacobsaunders said: Your new password is JuzekPrague? These days, passwords are required to contain at least one upper case letter and a number too. Better to go with Iwant2haveJuzeksbabies Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.