Hacker News new | past | comments | ask | show | jobs | submit login
Unprotected database exposes sensitive data of over 20M Ecuadoreans (cyware.com)
38 points by mojoraja 9 months ago | hide | past | web | favorite | 13 comments

If you think this is bad, there is a horrible security hole in the site of the National Transit Agency.

They have the most imbecile password recovery mechanism: With only the national id of the victim(cedula) you can recover their password!

I'm not talking about RESETING the password, I mean they sent you the literal password that was set during account creation to ANY email you input.

This is the state and reflection of the incompetence, rot and corruption of our current and past Government.

You should report them to Plain Text Offenders[0]. They're doing God's work.

[0] https://plaintextoffenders.com/

[0] https://plaintextoffenders.com/submit

The SRI (tax office?) publishes convenient CSVs with info on each tax payer, which includes RUC, full name and address.

For self-employed people I believe the RUC is the Cedula with "001" appended. So it is easy to look up the Cedula of many people (I moved to Ecuador in 2014, my info is in that file).


Oh god, I just grepped and found myself in there.

lovely, I wonder how much the company that did this for them charged

No they don't, I just checked.

Give me you cedula and I will give you YOUR password.

There needs to be fines for when stuff like this happens. The bottom line is all that matters to bosses, so unless engineers can credibly point to the economic impact of poor security decisions, these things will keep happening.

The main problem with a lot of personal data is that it’s used for identification right? There are other issues of course, but wouldn’t it make sense to assign everyone a cryptographic key that’s just used for authentication?

From the cached site (it seems to have been taken down since the news broke) it seems that this dataset was more used for marketing: https://webcache.googleusercontent.com/search?q=cache:http%3...

You are right about providing a more proper digital authentication solution for citizens, and at least one country has this[0], but in this case it just seems that the data was being kept/exploited for no better reason than marketing and that the company should not have had access to it from the start.

[0]: https://e-estonia.com/solutions/e-identity/id-card/

These sorts of things keep on happening all over the world. Last big breach I read about was unsecured s3 buckets. Should AWS and Elastic and other software infrastructure providers allow for these things to be deployed unauthenticated? Not saying its their fault that these security breaches happen, but its been pretty evident that many of their customers do not understand security. Maybe the solution is to just default to a more secure system out of the box, and make it much more difficult to make your system insecure.

According to Wikipedia [0], the population of Ecuador is 16-17 million. Does this database include dear people as well?

[0]: https://en.m.wikipedia.org/wiki/Ecuador

According to the zdnet report (https://news.ycombinator.com/item?id=20984119, https://www.zdnet.com/article/database-leaks-data-on-most-of...), yes: "The bigger number comes from duplicate records or older entries, containing the data of deceased persons."

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact