
Breaches, traders, plain text passwords, ethical disclosure and 000webhost - finnn
http://www.troyhunt.com/2015/10/breaches-traders-plain-text-passwords.html
======
brianclements
After reading all that, am I the only one who thinks that sites with security
practices that egregious aren't simply fronts or traps for mining this kind of
information?

~~~
toyg
Hanlon's razor disagrees.

If they were fronts, they wouldn't have done something as stupid and high-
visibility as resetting everyone's password; that's the desperate act of
someone who doesn't know what he's doing.

~~~
brianclements
Probably right. But wouldn't action like that only have mild effect on the
value of the stolen data anyway? There were no other announcements that came
along with the forced password reset, so most people not knowing any better
would change their passwords for 000webhost only and move on. But isn't the
real value in cross-referencing multi-use passwords on other sites? I would
imagine that only a very small percentage of 13 million users that are met
with a forced password reset would proceed to then change that password
everywhere it's used.

Fun thought experiment: What would you do differently if you were to actually
set up a front operation solely for the gathering of password/email
credentials from unsuspecting users? Would you make it stupid simple for
people to hack such as 000webhost? Thereby dodging blame, or would you just
leak the data in secret in obfuscated chunks so as not to give away the
source?

------
heymishy
seems to me like the guy who started out as a one-man reseller host scaling
out into something he's nowhere capable of managing.. scary to think how many
of these are out there

