Hacker News new | comments | show | ask | jobs | submit login
Reputation.com Loses User Passwords, Emails, and Addresses (stormpath.com)
63 points by chunsaker 1490 days ago | hide | past | web | 37 comments | favorite



Its absolutely flabbergasting when a company, which has the sole purpose of protecting customer information, allows this to occur. They've raised 4 major institutional rounds (their last $42 million), its discomforting that neither their team nor investors thought to secure their systems better than this.


" That is a funny business because on a net basis, the whole investment management business together gives no value added to all buyers combined. That's the way it has to work. " - Charlie Munger ( http://ycombinator.com/munger.html )


I worked there as one of their first engineer's, It's surprising to me that they've raised that much $, however the hack isn't. Incompetence is a word I use fairly when describing my time there...


mumble mumble invisible hand mumble


I didn't get it.


I think his point is that in an efficient market (invisible hand - an Adam Smith reference) incompetent companies should loose all of their customers to better companies and die.


Thanks! I didn't know it was an Adam Smith reference. It makes sense now.


This is really bad for their reputation.


Reputation.com has always been smarmy. It wouldn't surprise me if they sold the passwords and then claimed they lost them. (Really)

For the things Reputation.com does you have to ask why they used encrypted rather than hashed passwords. Not that hashed passwords would make me super excited to be lost, but why did Reputation.com need to keep the password around? They don't really interact with accounts, and if they do those should be stored separately from the access to the site. So the message should have been "we lost users bank account passwords" or something along those lines.

Because I know that Reputation.com is practically in the extortion business this password storing rather than hashing issue makes me think even less of them, which is difficult to do.


The passwords _were_ salted and hashed (the article and e-mail screenshot both mention this).

It's no s/b/...crypt but they don't seem to have been 'kept around'.


Aaand having posted this, he reads the first comment on the page which states the opposite... in contradiction to the posted screenshot of the supposed e-mail.

o_O


I received and posted the email, and many others on twitter have also received it.

Also, not sure we should take blog comments for the gospel before all the facts are out.


As a friendly tip, this isn't your YouTube comments page for why Node.js is stupid, so we'd appreciate it if you would take the few minutes of your time and read the article before jumping to conclusions or stating facts without credible sources.


Really? What does encrypted mean? Hashed is not encrypted. You can't unhash. You can find a known source of that hash, but you can't "decrypt".

Knowing this. Salted and Hash and Encrypted doesn't make any sense. So either they are BSing because they are stupid. Or because they are dishonest.

From where I stand it doesn't really matter which of the two they are. When it comes to privacy I have no tolerance for Stupid or Dishonest.

As for the statement that they aren't legally required to notify you... That's not true. If any of the people on the list live or access their account from North Carolina, or any of the 14 other states that use NC's breach terms then they would have to. Since it is nearly impossible to tell that this is not the case they legally have to give notice. A company that deals in Reputation Management should know this.

PS Friendly Tip regarding credible sources I can already buy the list online. With passwords in decyphered. This doesn't lend well to they were Hashed and Salted.


Salted and Hash and Encrypted doesn't make any sense.

At least one major software security company recommends, as best practice, doing an scrypt of your user passwords, and then doing an encryption of that based on a key stored in your appserver (which you may not necessarily lose as easy as you lose your DB).

I'm not necessarily defending that practice -- I was not prepared for a debate when presented with it -- but Reputation.com could well have gotten advice from this company and followed it, and they would call it "Salted and Hashed and Encrypted" very honestly.


> Really? What does encrypted mean? Hashed is not encrypted. You can't unhash. You can find a known source of that hash, but you can't "decrypt".

The e-mail says "encrypted" and then clarifies what it means (salted & hashed). 99% of just about any site's users will not know what hashing means, but they would respond well to the term "encrypted," as it conveys the data was not recovered in a form that would be useful to an attacker. For those who do, it's offered as an explanation. I don't have a problem with this. Sufficiently encrypted data when you can prove an attacker could not access a key is potentially secure (albeit not ideal), just as a simple hash with a basic salt is potentially secure (for now, albeit not ideal).

Things like this are typically written by PR people, not engineers, so while we'd like to hear that passwords were hashed and salted using PBKDF2 with 4096 rounds of HMAC-SHA1, only the few thousand people who saw this article on HN (a small fraction of whom are likely impacted) would care to know this information.

> As for the statement that they aren't legally required to notify you... That's not true. If any of the people on the list live or access their account from North Carolina, or any of the 14 other states that use NC's breach terms then they would have to. Since it is nearly impossible to tell that this is not the case they legally have to give notice. A company that deals in Reputation Management should know this.

IANAL, however from my understanding, internet-based companies that have no physical presence within a state are not bound by these laws as they typically require a physical presence. They are obviously required to follow federal laws, but AFAIK, there is no federal law regarding security breach. However, since this company is based in California, one would expect them to be responsible for abiding by such laws here, and there are such laws. Credible sources, though, indicate that the criteria that require a breach have not been met in this case (first initial or first name + last initial or last name along with specific personally identifying information): http://www.law.berkeley.edu/files/cso_study.pdf. This citing the 2003 law (the study itself was done in 2007). Since the only thing accessed was name, address, dob, and phone numbers, the criteria on page 9 are not met. All handwavy of course, but in my IANAL opinion, this is perfectly valid in a letter. They may very well not be required by law to disclose the breach. They certainly are not required to disclose the breach to EVERY user (given some, themselves, are in CA), so it is neither correct to say "we are required" nor "we are not required." It doesn't really matter, at the end of the day. The breach was disclosed, end of story.

> PS Friendly Tip regarding credible sources I can already buy the list online. With passwords in decyphered. This doesn't lend well to they were Hashed and Salted.

You do not represent a credible source in this matter, nor does "I can already buy the list online" prove that such an availability exists, nor that it actually contains information from this breach, nor that that information contains plaintext password data.

At the end of the day, user passwords should be the least valuable piece of information in that database. I know that realistically they aren't, but I surely can't be the only person who makes the assumption that my password is always compromised for every website I use. I don't re-use passwords, and I generate them cryptographically for each site. I would personally be significantly more upset that they have my DOB, name, email, and phone number than that they have a password of mine.


Law dictates that information on the breech must convey the type of data that was breached and the format which the information was stored in. If you say encrypted, legally it must be.

Reputation.com has an affiliate program they therefore have a presence in all states.

As a noted hacker, security expert, SEO, and Analyst. Short of posting the place to buy it. Yeah, I am the definition of a credible source. There is a reason I speak to the ACLU on such matters. And yes I already reported the where to law enforcement.


This article sort of glosses over the exact user data lost in the data breach: names, email and physical addresses. For users some, phone numbers, date of birth and occupational info.

That is a lot of personal data to lose given Reputation.com's supposed to be opening a data privacy vault this year.[1] The founder gave interview to Fox March 1st describing Reputation.com's move into vendor relationship management.[2]

Advocates for personal data vaults / VRM business model[3][4] like Reputation.com and Personal.com stress that personal data is mishandled today, especially by data brokers. Thus it must be particularly frustrating for Reputation.com to be directly involved in a data breach.

[1] http://www.nytimes.com/2012/12/09/business/company-envisions...

[2] http://www.reputation.com/reputationwatch/multimedia/michael...

[3] https://cyber.law.harvard.edu/projectvrm/Main_Page

[4] http://www.nytimes.com/2012/02/13/technology/start-ups-aim-t...


Is there a reason why in all of these compromises that they never state the type of encryption used on passwords?


Because somewhere between 97% and 100% of the recipients of the message would only be confused by that information.


Confusion, when followed by positive words, can make people happier sometimes. (Wow, I sure am glad they are so smart!)

I don't really see a big drawback to inserting a few extra words, if those words might get reputable people to say that the bad thing that just happened wasn't really so bad.


It seems more likely that they don't realize it's even important until they get hammered for details on what they used. Some PR person asks an engineer and he says "Yeah, it's fine, we hash/encrypt the passwords.." and only after they eventually disclose what they were using and have it explained to them do they realize they screwed up.


Losing information on the scale these guys have is no doubt going to be bad for their reputation.


I'm always nervous when people say they've lost "encrypted" passwords. We need a "plain english" version of https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet or at least issue a warning when you create a "password" VARCHAR in MySQL ;-)


I really hate that OWASP page (it's not as bad as it used to be --- that is, godawful --- and now it's just incoherent) and think we shouldn't be directing developers to it. If there's something "OWASP" (whatever that is) is truly bad at, it's cryptography.


I usually rely on OWASP for general guidelines, but if that page isn't enough for you, what is? (not a rhetorical question)

What should one look into in order to fill in OWASP's gaps?


What things would you change?


What's wrong with it?


> issue a warning when you create a "password" VARCHAR in MySQL

I put my salted and bcrypt'ed passwords in a CHAR or VARCHAR column named "password". Anything wrong with that? Should I change the name of the column to something like "hashed_password"?


The name of the column isn't a problem, rather it's an opportunity to nudge the developer a bit. Or that's how I read the GP's comment.


Indeed. It's that even if you store a hash, it might still not follow best practices getting there. Perhaps I should be petitioning sqlite, since it's more of a developer warning than a production one. But really -- it was a joke ;-)


Ironic. More over, this is exactly why AirBnB should not become an identity store (asking their customers to become verified by scanning and sending their passport info). I do not trust them with my identity.


Seems like a good letter to send for a fishing scam. Call this number that has nothing to do with our company and give them more personal info to "watch your credit".


It's gonna need some reputation defense now.


So their reputation is lost?


When I first read the title, I thought they litteraly LOST their database contents.


Bad reputation




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: