

Reputation.com Loses User Passwords, Emails, and Addresses - chunsaker
https://www.stormpath.com/blog/reputationcom-loses-user-passwords-emails-and-addresses

======
useflyer
Its absolutely flabbergasting when a company, which has the sole purpose of
protecting customer information, allows this to occur. They've raised 4 major
institutional rounds (their last $42 million), its discomforting that neither
their team nor investors thought to secure their systems better than this.

~~~
sneak
mumble mumble invisible hand mumble

~~~
skrebbel
I didn't get it.

~~~
Bill_Dimm
I think his point is that in an efficient market (invisible hand - an Adam
Smith reference) incompetent companies should loose all of their customers to
better companies and die.

~~~
skrebbel
Thanks! I didn't know it was an Adam Smith reference. It makes sense now.

------
electic
This is really bad for their reputation.

------
brandon_wirtz
Reputation.com has always been smarmy. It wouldn't surprise me if they sold
the passwords and then claimed they lost them. (Really)

For the things Reputation.com does you have to ask why they used encrypted
rather than hashed passwords. Not that hashed passwords would make me super
excited to be lost, but why did Reputation.com need to keep the password
around? They don't really interact with accounts, and if they do those should
be stored separately from the access to the site. So the message should have
been "we lost users bank account passwords" or something along those lines.

Because I know that Reputation.com is practically in the extortion business
this password storing rather than hashing issue makes me think even less of
them, which is difficult to do.

~~~
tekacs
The passwords _were_ salted and hashed (the article and e-mail screenshot both
mention this).

It's no s/b/...crypt but they don't seem to have been 'kept around'.

~~~
tekacs
Aaand having posted this, he reads the first comment on the page which states
the opposite... in contradiction to the posted screenshot of the supposed
e-mail.

o_O

~~~
chunsaker
I received and posted the email, and many others on twitter have also received
it.

Also, not sure we should take blog comments for the gospel before all the
facts are out.

------
bredren
This article sort of glosses over the exact user data lost in the data breach:
names, email and physical addresses. For users some, phone numbers, date of
birth and occupational info.

That is a lot of personal data to lose given Reputation.com's supposed to be
opening a data privacy vault this year.[1] The founder gave interview to Fox
March 1st describing Reputation.com's move into vendor relationship
management.[2]

Advocates for personal data vaults / VRM business model[3][4] like
Reputation.com and Personal.com stress that personal data is mishandled today,
especially by data brokers. Thus it must be particularly frustrating for
Reputation.com to be directly involved in a data breach.

[1] [http://www.nytimes.com/2012/12/09/business/company-
envisions...](http://www.nytimes.com/2012/12/09/business/company-envisions-
vaults-for-personal-data.html?pagewanted=all)

[2]
[http://www.reputation.com/reputationwatch/multimedia/michael...](http://www.reputation.com/reputationwatch/multimedia/michael-
fertik-fox-markets-now-data-vault)

[3] <https://cyber.law.harvard.edu/projectvrm/Main_Page>

[4] [http://www.nytimes.com/2012/02/13/technology/start-ups-
aim-t...](http://www.nytimes.com/2012/02/13/technology/start-ups-aim-to-help-
users-put-a-price-on-their-personal-data.html/)

------
jorts
Is there a reason why in all of these compromises that they never state the
type of encryption used on passwords?

~~~
dangrossman
Because somewhere between 97% and 100% of the recipients of the message would
only be confused by that information.

~~~
whatshisface
Confusion, when followed by positive words, can make people happier sometimes.
(Wow, I sure am glad they are so smart!)

I don't really see a big drawback to inserting a few extra words, if those
words might get reputable people to say that the bad thing that just happened
wasn't really so bad.

------
DigitalSea
Losing information on the scale these guys have is no doubt going to be bad
for their reputation.

------
lstamour
I'm always nervous when people say they've lost "encrypted" passwords. We need
a "plain english" version of
<https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet> or at least
issue a warning when you create a "password" VARCHAR in MySQL ;-)

~~~
tptacek
I really hate that OWASP page (it's not as bad as it used to be --- that is,
godawful --- and now it's just incoherent) and think we shouldn't be directing
developers to it. If there's something "OWASP" (whatever that is) is truly bad
at, it's cryptography.

~~~
ineedtosleep
I usually rely on OWASP for general guidelines, but if that page isn't enough
for you, what is? (not a rhetorical question)

What should one look into in order to fill in OWASP's gaps?

------
Cherian_Abraham
Ironic. More over, this is exactly why AirBnB should not become an identity
store (asking their customers to become verified by scanning and sending their
passport info). I do not trust them with my identity.

------
xntrk
Seems like a good letter to send for a fishing scam. Call this number that has
nothing to do with our company and give them more personal info to "watch your
credit".

------
iancarroll
It's gonna need some reputation defense now.

------
superflit
So their reputation is lost?

~~~
joshguthrie
When I first read the title, I thought they litteraly LOST their database
contents.

------
pentarim
Bad reputation

