
Credit Karma glitch exposed users to other people’s accounts - pseudolus
https://techcrunch.com/2019/08/14/credit-karma-glitch-accounts/
======
pugworthy
Though not literally the same as loss of life, there has to come a point where
software "glitches" that lead to this kind of release are treated in a way
similar to a software "glitch" that leads to accidents with computer
controlled machines. Boeing's majorly paying for this right now, but companies
like this just get to say "Oops" and move on.

Again, it's not the same as people dying in a plane crash, but it's not in
the, "The car I ordered wasn't the same shade of blue I thought I was getting"
category either.

As a software engineers (if you are one), we at some point have obligations to
our end users that top the obligations to the people who pay for our work. And
if I worked for Boeing, it's not my personal obligation to safety that keeps
that plane safe, it's Boeing's obligation, and their interest in a culture
that manifests a mindset in developers of "There's a lot riding on your
decisions."

~~~
rectang
The difference between those two "glitches", receiving an incorrect product
and Credit Karma's exposure is: that toxic asset, your data.

We are eventually going to come around to the fact that business models which
require keeping sensitive user data are highly risky — just like businesses
that handle toxic chemicals.

~~~
pessimizer
Not unless there's legislation giving people some ownership of their data and
companies some responsibility in its stewardship. Until then it'll be an
externality, which means that hoarding data is essentially free money.

Just like businesses who use and discard into the environment toxic chemicals
that there are no regulations covering.

------
maximente
it's time to factor in guaranteed exposure of data when considering pros/cons
of consuming any online service.

questions i've been asking myself lately:

\- how embarrassing or worse would an HN data breach (plug in favorite
$social_network) be to me when logs are exposed that link my activity in a way
that can trivially deanonymize me? how much does this reduce the value of
consuming the service in the first place?

\- how embarrassing or worse would a data breach at Uber/Lyft/other ride
sharing be for me? consider exposure of geolocation + timestamps. how much
does this reduce the value of consuming the service in the first place?

\- repeat for things like online dating or whatever else

these additional questions have helped me put risk vs. reward into perspective
when consuming services, no matter where they live or how useful they seem
prima facie.

~~~
buboard
My bigger question is why are people embarassed for their opinions even if
they were expressed as trollish? There was a time when it was normal to
disagree with people

~~~
Mountain_Skies
It's not just a question of embarrassment. There are activists who specialize
in identifying people who engage in wrongthink and contact their employer to
get them fired from their job. Employers who don't comply face boycotts and
social media attacks on their reputation.

~~~
Ascetik
Indeed. I was doxxed over a religious position I hold and underwent a 3 month
investigation at work for it. It was absolutely horrible and very stressful. I
have a family and small children. Some psycho who just couldn't handle that
someone diaagrees with them spent the actual time to call my employer with the
malicious intent to get me fired. That this type of behavior is tolerated by
corporations is a gross injustice and it should be illegal.

------
SilasX
Heh, CK also alerts you when your data or password has been compromised in a
breach. Must be real fun to have to list themselves!

~~~
rvz
> Must be real fun to have to list themselves!

Exactly, we need to be very serious about the security of the thousands of
users at risk here and it's ironic how they list themselves in this security
fault. This to me looks like clownish behavior here.

But come on! You have to give them credit for informing you about all the
other security breaches out there and now including themselves. But hey,
karma's a bitch isn't it? :)

~~~
SilasX
Actually, I'm not even sure if they will go through and treat themselves like
a normal breach. But it will be a jerk move if they don't, and funny/ironic if
they do.

~~~
dragonwriter
> Actually, I'm not even sure if they will go through and treat themselves
> like a normal breach

They've explicitly claimed the “glitch” which exposed customer personal data
to other customers was not a breach, so it's pretty clear they will not.

~~~
sieabahlpark
A botched deploy wasn't a breach...?

------
harryh
FWIW: CK doesn't appear to show SSNs or account numbers which would limit the
damage from this kind of error.

------
jlmorton
Note that there are Twitter reports about this happening as early as 12 hours
before Credit Karma's initial response.

It seems this was happening for a long time, but Credit Karma did not notice
until their social media team came in at 9am PDT.

------
caconym_
Well, this makes me feel better about not signing up for CK because it gave me
a vague skeezy feeling.

We need to make some big changes and I am not looking forward to living in the
inevitable future where they haven't been made.

------
PopeDotNinja
At some point in the near future, a company with a data breech will update
it's TOS post-breech to say that all data should be considered public & that
the service is for entertainment purposes only.

------
PL1
I have tried to have my account deleted a while ago but Credit Karma refused
to do so.

Terrible company.

~~~
skellera
Very terrible.

Had a terrible experience with them when they started their tax service (first
year of it). I let them know they had the wrong format for Hawaii tax IDs and
they told me I was wrong and to go somewhere else because I didn’t know what I
was doing.

Turns out they had their shit wrong. Glad it happened so I realized how trash
their company was. Thankfully I was able to make them delete my account.

~~~
fourstar
Can you post the conversation with all personal information redacted, please?
Very curious to see how this went down.

~~~
skellera
Sorry, I just looked and I don’t have the chat transcript. Only thing I have
is the support email response after I asked to cancel my account because of
the service I received from the chat support. I wish I kept it though. They
were extremely rude and I was thrown off by how bad it was.

------
bubblethink
How do you close the CK account and remove their authorizations to credit
reports? I don't see any option in settings.

~~~
fourstar
You would need to deal with the bureau(s) since they ultimately have control
over your data. Good luck with that.

------
sucrose
I noticed something was odd... I've been trying to sign into their app the
past couple of days and keep receiving "Invalid credentials" errors. The
website worked fine for me.

------
notatck
Caching issue.

~~~
benburleson
Does this imply you're only potentially compromised if you were logged in
during the time "the glitch" was live?

~~~
WrtCdEvrydy
Yeah, that's generally how caching problems happen.

Caches are built and served to the wrong person so everyone who saw someone
else's profile can probably be sure theirs was shown to someone else.

------
ErikAugust
“Denied there was a data breach”.

Yet you could simply refresh the page as any logged in user and see a new
random account. This is a data breach. You could build a scraper in ten
minutes.

~~~
fourstar
How useful is that data without a name attached?

------
kraigspear
Let me guess, 6 months of free credit monitoring to make up for it.

~~~
SilasX
Future Not-The-Onion: "Most Americans have more free credit monitoring than
their life expectancy".

~~~
mulmen
Our children will fight for single-payer credit monitoring.

~~~
DoreenMichele
Our grandchildren will live in caves and eek out a living from the family
farm. But at least they will have solar power.

------
astura
Chase had exactly the same issue a while back:
[https://krebsonsecurity.com/2018/02/chase-glitch-exposed-
cus...](https://krebsonsecurity.com/2018/02/chase-glitch-exposed-customer-
accounts/)

------
sofaofthedamned
Does this apply to the UK version of CK too?

------
mizchief2
that's it i'm canceling my account with them. Their scores are way off, they
just use you as a way to sell more credit cards, and now they are giving out
my info. They are worse than useless now.

~~~
missingrib
>Their scores are way off

Is this true? Why? Where can I go to get a more accurate credit rating?

~~~
euroq
There are dozens of models that various companies use. When applying for a
mortgage, there are different models used when applying for a car or an
apartment. Credit Karma gets their scores from the credit bureaus with some
particular model, which probably isn't the same one when you go try to get a
car. It's not _wrong_ it's just different.

~~~
astura
To be clear: credit karma shows VantageScore 3.0 whereas most credit cards,
mortgages, and auto loans use a FICO score more often. That being said,
there's a bunch of FICO versions in active use. For a rundown of them see
here: [https://www.investopedia.com/articles/credit-loans-
mortgages...](https://www.investopedia.com/articles/credit-loans-
mortgages/081416/fico-5-vs-fico-8-what-are-differences.asp)

Some esoteric lenders might use VantageScore and, for the most part, if you
have a good VantageScore 3.0 you'll most likely have good FICO scores.

~~~
ceejayoz
There's a good 55 point gap between my FICO and my VantageScore, so if you're
getting a mortgage or something, you'll definitely want to check the FICO
value to at least know if that's the case for you.

------
gouggoug
I noticed that today and got very worried when I saw I had apparently taken a
$300k home loan. I immediately assumed someone stole my identity.

I noticed that refreshing would give me other results and got less worried
about identity theft... and more worried about what was happening at CK.

------
r00fus
How can Credit Karma say there was no breach? Just because their database
wasn’t exposed doesn’t mean my personal information wasn’t exposed.

They got a lot more explanation to do.

------
abledon
"Bing Bam Boom - It's Done!"

"what?"

"Your data is exposed"

------
OrgNet
I used to like credit karma, a few years ago... now my bank does the same
thing without having to share my data with yet another company

------
notatck
Caching issue. :(

------
deepsun
I bet they have the top security certifications up-to-date.

------
ProAm
Glitch or poorly written software by a startup?

~~~
ergothus
Why is the "by a startup" relevant?

~~~
NickBusey
They have been owned by Equifax for a while now, not sure startup is even an
accurate term for CK, let alone why that would matter.

Edit: Ok, they may not be owned by Equifax, but they are 10+ years old with
700 employees and over $500 million in revenue in 2016. I don't know what
definition of 'startup' you use, but that doesn't meet my definition.

~~~
ceejayoz
I don't think that's true.

[https://en.wikipedia.org/wiki/Credit_Karma](https://en.wikipedia.org/wiki/Credit_Karma)

------
imnotlost
Even if you delete your account, they probably still keep and sell your data
to anyone who asks.

Is there any way to force a US company to scrub your data, including from logs
and backups?

~~~
pugworthy
If you haven't read it, please read
[https://www.creditkarma.com/about/privacy-20190404/](https://www.creditkarma.com/about/privacy-20190404/)

I haven't read it in detail, but they may cover your first sentence.

~~~
imnotlost
Read it - they don't delete your data.

~~~
pugworthy
I was specifically addressing the "sell your data to anyone who asks" part.
Keeping it is one thing, suggesting they sell it to anyone who asks is
another. My guess is, no - they don't do that.

~~~
skellera
Keeping your data and selling it anonymized is no better. They should not
profit from your data when you leave.

