
Time Warner Cable says up to 320,000 customers' data may have been stolen - doctorshady
http://www.reuters.com/article/us-twc-cyberattack-idUSKBN0UL01P20160107
======
jacquesm
One simple trick to make it easier to determine the source is to embed a
couple of sentinel records into your DB. That way if it does get leaked you
are sure that you were the source and if another party is the source you will
know this because your sentinels will not be present. This helps to strengthen
the claim that the data was not leaked through your company (it is not a
guarantee, after all it could be an inside job with the sentinels stripped but
the chances are somewhat reduced).

------
staunch
The U.S. needs consumer protection laws. Companies won't stop unethically
collecting and retaining data on their own.

[https://en.wikipedia.org/wiki/Right_to_be_forgotten](https://en.wikipedia.org/wiki/Right_to_be_forgotten)

~~~
Keverw
But don't companies need to collect and retain data to operate their
businesses? Like they need your info to bill you, they need info to login to
your account, your emails stored if you use their included email, etc.

~~~
nitrogen
Data can be deleted when it's no longer needed. Sale of data can be forbidden.
Old data can be encrypted by the customer's public key so only the customer
can initiate access. There are many ways to roll back the madness.

~~~
Tinyyy
>customer’s public key

The general public has no concept of what a ‘public key’ is.

~~~
rickycook
a "public key" can also just be a secret. "Apple toothpaste monkey piano" is
something someone can write down for recovery. they don't need to know; they
just need to remember where they put it (which might be a stretch, yes, but
it's better than storing things in plain text)

~~~
incongruity
Actually... that'd be a private key.

------
jwcrux
Assuming the source of the credentials (malware, other breaches, etc) is
correct, 320k isn't outlandish by any means.

My Twitter bot, @dumpmon, comes across thousands of leaked creds per day, and
that's only on pastebin.

This, combined with "checker" services that can verify credentials to services
like TWC make things like leaked credentials be correlated into "from these x
unique dumps, we have a group of creds that all work with TWC as well".

My guess is that TWC was alerted to a file someone was trying to sell that
took leaks from other public/private dumps or malware infections, checked them
against TWC, and verified that they all happened to work. This would be why
TWC wouldn't be able to pin down an exact source - there absolutely doesn't
have to be just one source.

It happens more than you think.

~~~
magicmu
Solid analysis, your guess makes a lot of sense IMO. I suspect that these
kinds of "breaches" take place far more often than is reported -- I think
until people are better educated about the importance of using unique
passwords for their individual online accounts, it's an uphill battle.

------
madaxe_again
Poor Time Warner, the little innocent lambs! I hope the responsible executives
get a big raise and bonus to help make up for the emotional distress this must
be causing them.

Fucking morons deserve jail time.

~~~
runarb
That escalated quickly...

~~~
dickbasedregex
Meh not really. If there were real repercussions to fucking up lives because
you leaked their private data that would be one thing. Zero sympathy for the
company as a whole.

------
remarkEon
This will go quite well with their new "We at Time Warner Cable need to
apologize to you..." ad campaign.

[http://www.webpronews.com/time-warner-cables-new-ad-
strategy...](http://www.webpronews.com/time-warner-cables-new-ad-strategy-
poke-fun-at-crappy-customer-service-2015-10/)

~~~
tinalumfoil
> The company said email and password details were likely gathered either
> through malware downloaded during phishing attacks or indirectly through
> data breaches of other companies that stored Time Warner Cable's customer
> information, including email addresses.

If the data was stolen through malware then this isn't TWC's fault. People
just need more education on how to secure their computers.

~~~
mentat
320,000 people didn't download malware. A privileged user at TWC did.

~~~
jkestner
And this seems to imply that the customer passwords stolen weren't properly
salted/hashed/etc. If so, not the customers' fault.

------
bottled_poe
Alternative headline: "Time Warner Cable fails to secure data, exposes 320,000
customers"

------
mizzao
Guess that explains why some random payments showed up on my credit card (used
for recurring billing) and I just had to it cancelled and re-issued.

There were only a few other payments on the card - NYTimes, DigitalOcean. Are
there any recent breaches at those companies?

------
FreedomToCreate
Most people in the US have no idea where there information is these days. Any
start ups developing software that can monitor server connections and use ML
to detect unauthorized or unusual connections?

~~~
stephengillie
Products range from anti-scraping (Distil) to intrusion prevention (Juniper et
al) to traffic-shaping filters (Juniper et al) to content redirection
(Netscaler) and beyond.

------
jlgaddis
I like how they don't know where the data was obtained from, yet they know it
didn't come from them.

~~~
sosborn
How are these two things mutually exclusive?

------
adunna
The writing style makes it seem like there are unhashed passwords that were
stolen. Very few details.

------
bcook
Can I just skip the middle-man and sell my information directly to the
criminals?

~~~
MicroBerto
They don't pay for it. That's why they're "criminals". As opposed to the ones
that buy it.

Either way, your privacy is dead, unless you can find a way to not have your
home address on your account. I use a UPS box for everything... Except home
utilities and Internet / cable.

~~~
jlgaddis
I use my PO Box for everything but my phone, gas, electric, and Internet
providers obviously have (need) my home address.

Your utility companies have yours as well.

------
hughes
Note - this is likely not the result of a database breach. This is just notice
that some malware has possibly been recording TWC passwords.

~~~
Keverw
[http://www.nbcnews.com/tech/security/time-warner-warns-
custo...](http://www.nbcnews.com/tech/security/time-warner-warns-customers-
their-emails-passwords-may-have-been-n491686)

"In a statement provided to NBC News, the cable giant said "there are no
indications that TWC's systems were breached," and suggested the mails may
have been acquired earlier by other means, such as malware, phishing attacks
on subscribers or security breaches at companies that stored TWC customer
information."

So seems like it was just phishing and malware to the unlucky ones.

~~~
phaedrix
"or security breaches at companies that stored TWC customer information"

~~~
Keverw
hmm wonder what they mean by that though. Companies they contracted with
directly or for example maybe someone signed up for a forum or another large
website using their same email and password as TWC email?

~~~
fweespeech
TWC sells all of the subscriber data that they legally can to 3rd parties,
like most major companies.

~~~
mkagenius
But those passwords would be encrypted, as it comes from TWC. While any other
3rd party who gets it from user can altogether skip encryption.

------
ommunist
It seems, US legislation on customer data protection needs an upgrade and
proper enforcement of ISO 27001 adoption across companies dealing with private
personal data. The cheaper alternative exists. To prohibit completely storage
of personal data, and only accept transactions with anonymous cryptocurrency.

~~~
mhuffman
Ha! That is not how legislation in the US works.

I expect upping the sentence for accessing an "unauthorized system" to a top-
level 40-year felony and everyone congratulating each other with a "well that
should take care of it!" job well done.

Probably in the same bill, I would expect amnesty for management in exchange
for whistleblowing on software engineers that did not follow "best practices".

And finally, perhaps some pamphlets with "tips" to "teach the public" what
they can do to better protect their privacy ... none of which will involve not
giving your information to large corporations.

~~~
bcg1
Don't forget that they'll bundle it with a law that prohibits kicking
puppies... so that if you point out the flaws or say it won't work, they can
shoot you down as a naysaying puppy kicking sicko.

------
donatj
Aww crap. I wonder if this applies to former customers / how far back. We were
Time Warner until about 2005 when Comcast took over our area. Our service
actually _significantly improved_ under Comcast.

------
mark_lee
It's security, not PR, stupid! Time to get your hands dirty and IT shit done,
stop keeping advertising, your moron!!

------
JumpCrisscross
What fraction of email traffic is sent or received by an ISP mail server?

