Hacker News new | past | comments | ask | show | jobs | submit login

“Encrypted” is not the same as “secure” and in practice knowing that data is encrypted gives you virtually zero useful information toward knowing if your data is secure.

I previously worked at a “reputable” company whose main product stores usernames and passwords for third-party sites. It’s a conceptually-similar product to what Plaid offers, but in a different problem space. These passwords were encrypted.

And yet:

* any developer or ops member could trivially have dumped the entire plaintext dataset

* there were multiple bugs discovered that would have allowed dummy accounts to quickly, trivially, and remotely dump the entire plaintext dataset

* if these bugs had been exploited, we would have had no way to know past a few weeks due to log rotation policies

* administrator passwords to systems were often just single English words

If anyone with ill intent had looked at this product for more than an hour, they likely would have discovered some of the bugs mentioned; one was pretty much just a

    GET /accounts/$i/passwords.csv
I have no particular information regarding Plaid that would lead me to expect they’re anywhere near this bad. I also have no particular reason to believe they aren’t this bad, but in my experience as a infosec engineer, the overwhelming majority of companies—even “reputable” ones—are far closer to the shitshow end of the spectrum than they are to the competent end when it comes to security. Even if they are competent it’s not that big a reassurance, because competent companies still get popped with depressing regularity. It still often just takes one mistake from a well-meaning engineer to introduce a severe security vulnerability, even in a company that generally takes security seriously.

Combine this with the consequences of a breach: if your credentials are stolen from Plaid and used to steal money from you, your bank, brokerage, or other financial institution can point to your use of this product as cause to deny your claim to have your funds returned. Essentially, they can point to Plaid as a violation of their terms of service, and hold you on the hook for any losses as you voluntarily gave your credentials to a third party.

Hell, even if Plaid isn’t breached and your account is compromised through other means, they can use the logs from Plaid regularly logging into your account to make the same case.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact