Hacker News new | past | comments | ask | show | jobs | submit login
Credit Karma glitch exposed users to other people’s accounts (techcrunch.com)
161 points by pseudolus 63 days ago | hide | past | web | favorite | 86 comments

Though not literally the same as loss of life, there has to come a point where software "glitches" that lead to this kind of release are treated in a way similar to a software "glitch" that leads to accidents with computer controlled machines. Boeing's majorly paying for this right now, but companies like this just get to say "Oops" and move on.

Again, it's not the same as people dying in a plane crash, but it's not in the, "The car I ordered wasn't the same shade of blue I thought I was getting" category either.

As a software engineers (if you are one), we at some point have obligations to our end users that top the obligations to the people who pay for our work. And if I worked for Boeing, it's not my personal obligation to safety that keeps that plane safe, it's Boeing's obligation, and their interest in a culture that manifests a mindset in developers of "There's a lot riding on your decisions."

The difference between those two "glitches", receiving an incorrect product and Credit Karma's exposure is: that toxic asset, your data.

We are eventually going to come around to the fact that business models which require keeping sensitive user data are highly risky — just like businesses that handle toxic chemicals.

Not unless there's legislation giving people some ownership of their data and companies some responsibility in its stewardship. Until then it'll be an externality, which means that hoarding data is essentially free money.

Just like businesses who use and discard into the environment toxic chemicals that there are no regulations covering.

I think we are already there. Assigning a monetary value to data is a critical step for any responsible organization or person, then it can be managed like an asset or a liability - of which it is both.

Thanks. Better analogy than my Boeing one.

it's time to factor in guaranteed exposure of data when considering pros/cons of consuming any online service.

questions i've been asking myself lately:

- how embarrassing or worse would an HN data breach (plug in favorite $social_network) be to me when logs are exposed that link my activity in a way that can trivially deanonymize me? how much does this reduce the value of consuming the service in the first place?

- how embarrassing or worse would a data breach at Uber/Lyft/other ride sharing be for me? consider exposure of geolocation + timestamps. how much does this reduce the value of consuming the service in the first place?

- repeat for things like online dating or whatever else

these additional questions have helped me put risk vs. reward into perspective when consuming services, no matter where they live or how useful they seem prima facie.

My bigger question is why are people embarassed for their opinions even if they were expressed as trollish? There was a time when it was normal to disagree with people

It's not just a question of embarrassment. There are activists who specialize in identifying people who engage in wrongthink and contact their employer to get them fired from their job. Employers who don't comply face boycotts and social media attacks on their reputation.

Indeed. I was doxxed over a religious position I hold and underwent a 3 month investigation at work for it. It was absolutely horrible and very stressful. I have a family and small children. Some psycho who just couldn't handle that someone diaagrees with them spent the actual time to call my employer with the malicious intent to get me fired. That this type of behavior is tolerated by corporations is a gross injustice and it should be illegal.

You could also get killed by a drunk driver or shot in a random spree. It's terrible but the odds of it happening are too small to organize your individual life around.

Every group believes in something dumb. People often hide disagreements to fit in.

so either the group is fake, or the members are lying. what kind of group is that

As far as I can tell every groups holds these beliefs. I kind of wonder if holding / pretending to hold false beliefs is what holds groups together.

Something a informal as friends watching some sport often have lucky items or rituals that show up over time. The degree to which this is simply an in joke can change over time especially when groups grow.

Usually group formation requires people to collectively forget something. Its not common to require creating false beliefs.

collectively forget something

What do you mean by this?

“Forgetfulness, and I would even say historical error

Seems to be the same or at least very similar idea.

A group of neurotypical humans.

Are you talking of comments you've posted, or do you have more specific concerns?

Your comments: https://news.ycombinator.com/threads?id=USERNAME

In API form: https://hacker-news.firebaseio.com/v0/user/USERNAME.json?pri...

Everything you do here is rather public...

Heh, CK also alerts you when your data or password has been compromised in a breach. Must be real fun to have to list themselves!

> Must be real fun to have to list themselves!

Exactly, we need to be very serious about the security of the thousands of users at risk here and it's ironic how they list themselves in this security fault. This to me looks like clownish behavior here.

But come on! You have to give them credit for informing you about all the other security breaches out there and now including themselves. But hey, karma's a bitch isn't it? :)

Actually, I'm not even sure if they will go through and treat themselves like a normal breach. But it will be a jerk move if they don't, and funny/ironic if they do.

If they do it right, it won't be funny/ironic at all. Especially if they are open about the mistakes they made, and how they are working to ensure they don't happen again.

> Actually, I'm not even sure if they will go through and treat themselves like a normal breach

They've explicitly claimed the “glitch” which exposed customer personal data to other customers was not a breach, so it's pretty clear they will not.

A botched deploy wasn't a breach...?

FWIW: CK doesn't appear to show SSNs or account numbers which would limit the damage from this kind of error.

Note that there are Twitter reports about this happening as early as 12 hours before Credit Karma's initial response.

It seems this was happening for a long time, but Credit Karma did not notice until their social media team came in at 9am PDT.

Well, this makes me feel better about not signing up for CK because it gave me a vague skeezy feeling.

We need to make some big changes and I am not looking forward to living in the inevitable future where they haven't been made.

At some point in the near future, a company with a data breech will update it's TOS post-breech to say that all data should be considered public & that the service is for entertainment purposes only.

I have tried to have my account deleted a while ago but Credit Karma refused to do so.

Terrible company.

Very terrible.

Had a terrible experience with them when they started their tax service (first year of it). I let them know they had the wrong format for Hawaii tax IDs and they told me I was wrong and to go somewhere else because I didn’t know what I was doing.

Turns out they had their shit wrong. Glad it happened so I realized how trash their company was. Thankfully I was able to make them delete my account.

Can you post the conversation with all personal information redacted, please? Very curious to see how this went down.

Sorry, I just looked and I don’t have the chat transcript. Only thing I have is the support email response after I asked to cancel my account because of the service I received from the chat support. I wish I kept it though. They were extremely rude and I was thrown off by how bad it was.

Deactivating your account does not erase your data.

If only the rest of the world had caught up on implementing a GDPR

How do you close the CK account and remove their authorizations to credit reports? I don't see any option in settings.

You would need to deal with the bureau(s) since they ultimately have control over your data. Good luck with that.

I noticed something was odd... I've been trying to sign into their app the past couple of days and keep receiving "Invalid credentials" errors. The website worked fine for me.

Caching issue.

Does this imply you're only potentially compromised if you were logged in during the time "the glitch" was live?

Yeah, that's generally how caching problems happen.

Caches are built and served to the wrong person so everyone who saw someone else's profile can probably be sure theirs was shown to someone else.

Yep my thoughts. Sounds like the Steam Christmas sale issue from sometime back.

The description does sound like that, yeah.

“Denied there was a data breach”.

Yet you could simply refresh the page as any logged in user and see a new random account. This is a data breach. You could build a scraper in ten minutes.

How useful is that data without a name attached?

Let me guess, 6 months of free credit monitoring to make up for it.

Future Not-The-Onion: "Most Americans have more free credit monitoring than their life expectancy".

New startup idea: Credit monitoring monitoring

Our children will fight for single-payer credit monitoring.

Our grandchildren will live in caves and eek out a living from the family farm. But at least they will have solar power.

Chase had exactly the same issue a while back: https://krebsonsecurity.com/2018/02/chase-glitch-exposed-cus...

Does this apply to the UK version of CK too?

that's it i'm canceling my account with them. Their scores are way off, they just use you as a way to sell more credit cards, and now they are giving out my info. They are worse than useless now.

>Their scores are way off

Is this true? Why? Where can I go to get a more accurate credit rating?

There are dozens of models that various companies use. When applying for a mortgage, there are different models used when applying for a car or an apartment. Credit Karma gets their scores from the credit bureaus with some particular model, which probably isn't the same one when you go try to get a car. It's not _wrong_ it's just different.

To be clear: credit karma shows VantageScore 3.0 whereas most credit cards, mortgages, and auto loans use a FICO score more often. That being said, there's a bunch of FICO versions in active use. For a rundown of them see here: https://www.investopedia.com/articles/credit-loans-mortgages...

Some esoteric lenders might use VantageScore and, for the most part, if you have a good VantageScore 3.0 you'll most likely have good FICO scores.

There's a good 55 point gap between my FICO and my VantageScore, so if you're getting a mortgage or something, you'll definitely want to check the FICO value to at least know if that's the case for you.

For a slightly more useful credit score (more useful, not more accurate - see sibling comment), you'll want to get a version of your FICO score instead of a version of your VantageScore. You can get one for free here: https://www.freecreditscore.com/ - it's run by Experian, I haven't read the private policy but no payment information is required.

Good luck having your data deleted. Credit karma doesn't delete accounts.

Wow you are indeed correct, according to their privacy policy:

> Due to our recordkeeping and information retention requirements, we do not delete information about you upon deactivation. We will, however, disable your account and stop sending you further communications. Furthermore, except to the extent necessary for legal or regulatory recordkeeping purposes, we anonymize the data in your Member Profile two years after you deactivate your account. It may take a little more time for our automated backup systems to fully process the anonymized account, though.

I noticed that today and got very worried when I saw I had apparently taken a $300k home loan. I immediately assumed someone stole my identity.

I noticed that refreshing would give me other results and got less worried about identity theft... and more worried about what was happening at CK.

How can Credit Karma say there was no breach? Just because their database wasn’t exposed doesn’t mean my personal information wasn’t exposed.

They got a lot more explanation to do.

"Bing Bam Boom - It's Done!"


"Your data is exposed"

I used to like credit karma, a few years ago... now my bank does the same thing without having to share my data with yet another company

Caching issue. :(


I'm not sure calling her "Miss spokesperson" is necessary, but otherwise correct.

Edit: Thanks for the edit!

You're correct, I've removed the 'Miss' as it sounds pretty pretentious.

No, it sounded misogynistic.

I agree, that honorific was strongly prejudiced against women.

Yeah, this bit is an egregious lie:

> “What our members experienced this morning was a technical malfunction that has now been fixed. There is no evidence of a data breach,” the statement said.

She's not an MBA...?


hmm...just trying to build some self awareness in this community around how easy it is to hate on MBA's as a group. We're soooo allergic to that type of rhetoric when it's anyone else, but not at all when it comes to the "business" or "MBA" side of the house.

Imagine the phrase "Fuck Your Engineering Bullshit" was used instead - I'm pretty sure there'd be a lynching.

I think "engineering bullshit" and "mba bullshit" are comparing apples to oranges. Mbas definately spew much more and different types of bs than engineers.

Is it possible you believe this because you are an engineer and not an MBA?

Telling other people they are wrong is classic engineer bullshit.

> Telling other people they are wrong

So maybe she is an engineer... since she said there was no data breach.

I bet they have the top security certifications up-to-date.

Glitch or poorly written software by a startup?

Why is the "by a startup" relevant?

They have been owned by Equifax for a while now, not sure startup is even an accurate term for CK, let alone why that would matter.

Edit: Ok, they may not be owned by Equifax, but they are 10+ years old with 700 employees and over $500 million in revenue in 2016. I don't know what definition of 'startup' you use, but that doesn't meet my definition.

I don't think that's true.


Even if you delete your account, they probably still keep and sell your data to anyone who asks.

Is there any way to force a US company to scrub your data, including from logs and backups?

If you haven't read it, please read https://www.creditkarma.com/about/privacy-20190404/

I haven't read it in detail, but they may cover your first sentence.

Read it - they don't delete your data.

I was specifically addressing the "sell your data to anyone who asks" part. Keeping it is one thing, suggesting they sell it to anyone who asks is another. My guess is, no - they don't do that.

Keeping your data and selling it anonymized is no better. They should not profit from your data when you leave.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact