Hacker News new | past | comments | ask | show | jobs | submit login

If I came across an s3 bucket with my credit application details and I could delete it, I would probably do it and then report to their security team. It’s MY data security they’re being casual with.

It occurs to me now that if I did that it would likely be a crime because of the harm to the company. The irony.

Who cares if it has your data in it or not. Just report it to authorities and the guy who runs haveibeenpwned.

Plus what are you going to do with credit card applications anyway? Sell them to a marketing company with some phony story? Or the 'sell them on the darknet to fraudsters in Russia' angle? Unless you're already involved in some dirty business already this isn't very valuable.

I would imagine complete credit card applications contain the type of information identity thieves would be willing to pay good money for.

I think the point is: unless the hacker is already aware of how to sell PII of this nature and how to move "good money" then a hack like this is for naught.

Reading the mistakes made in the hack itself makes me wonder if black markets and money laundering are a skill they posses.

I think you could just sign up on one of the onion drug/fraud markets for ~$500 vendor deposit and put up a listing for those profiles at like $5-10 a pop.

If you were lazy you could just hit up an existing vendor and ask them to sell your data in batches.

I’m not saying this would be a good idea, but it certainly wouldn’t be very difficult.

Then Capital One will find out immediately because banks hire firms to watch darknet markets. JP Morgan discovered a breach when they found data being sold on one of those forums and that was years ago.

This will just intensely increase the scrutiny of where the data came from and they'd likely be caught anyway, unless they did a very clean job security-wise. Which very few people seem to be able to do when the feds really want you.

Moving to Russia or another country without extradition treaties would probably be a good first step of that plan.

By now everyone's identity data is already widely disseminated, no?

I operate under the assumption my name, address, email, social media profiles, social security number, place of birth, and mother's maiden name are all easily available in the wild. I've bought one of those online background checks before, at the very least I can be confident the info on that report is available to anyone.

The old joke.. "DDon't worry, the NSA made a backup for you"

But now its more like "Don't worry The 5Eyes have made back for everyone"

> and I could delete it, I would probably do it

In the UK this would definitely open you up to the Computer Misuse act, and I imagine the police would have something to say to you about evidence tampering too.

Having wide open access to customer details with full ability to read/write on the open internet..? That seems like it should be stretching the Computer Misuse too far, but yes, your're right.

Whats funny to me about this statement is it would propose an interesting legal question in the EU due to GDPR. You certainly do have your right to delete it there.... Despite it being unconventional.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact