Hacker News new | comments | show | ask | jobs | submit login
HD Manufacturer LaCie Admits Yearlong Data Breach (threatpost.com)
23 points by nimbs 1072 days ago | hide | past | web | 17 comments | favorite

The site just emailed me my password in cleartext when I used the "forgot password" option, so they must not be hashing them on their side. Seems like a terrible security practice.

The incident notification states "website user names and passwords could also have been accessed", so I guess this means cleartext passwords.

LaCie is not only a HD manufacturer, more importantly it is also the owner of the cloud storage service on the European servers:


"Cloud Collaboration. Rock-Solid Security."



"Our servers are based in Switzerland, Germany, and France."

Which would be preferred by Europeans. Well now...

Title is a little misleading. I own a LaCie External HD and I went there expecting something about hardware level data breaches.

Indeed. Imagine what a competent attacker could do with access to the firmware developer or distribution environment. http://spritesmods.com/?art=hddhack&page=1

LaCie should be forced to publish a list of priorities that were more important than fixing the site for leaky credit cards.

There is a telling lack of consumer-protection laws regarding data leaks and breaches. Compare this with the Android flashlight-dataseller case [1], and you see that companies perceive the data you produce as rightfully theirs to do whatever they want with, except that which is legislatively protected (and even then...).

1. http://bgr.com/2014/04/14/brightest-flashlight-app-scam-sett...

What's the solution? We hate regulation as an industry, but if I was outside the industry, seeing these data breaches over and over again would seem to imply a need for regulation. Looking at PCI and HIPPA, as two examples, it doesn't seem like data protection legislation would be super successful. Any thoughts on that?

How about not requiring personal data when it's necessary anyway, and removing it as soon as it isn't necessary anymore? If I buy a LaCie drive in a brick-and-mortar store and I pay with cash, there is exactly none of my personal data there to be stolen. I don't see why this shouldn't apply to my online purchases. In fact, I'm quite annoyed that it doesn't apply at all.

There's a middle ground where custodial responsibilities are legislated, where the customer retains property rights in the information collected by the company and thus provides a cause of action if the company fucks up.

Because the next time you'd want to shop with that store you'd need to fill out the profile again. This kills the conversion rate.

It's a security/UX tradeoff.

The minor inconvenience of re-entering my shipping data every time clearly outweighs the possibility that some crime syndicate gets their hands on my personal data. At least for me. I would appreciate it to at least have the option to not create an account when I make a purchase. I've seen too many data breaches to have much confidence in the security of the majority of webshops. The only secure safeguard against theft of personal information is to not have it stored in the first place.

This seems like the perfect place for payment processors to exist, like PayPal and google wallet or whatever ones out there you'd like to use

Certainly HIPAA is far more trouble, and every example I can think of, of regulation being passed in haste in response to witch hunt, has been awful. I'm thinking of stuff like Sarbanes-Oxley or Dodd-Frank. Neither of these did much in terms of their stated goals, but they have created a bunch of problems as unintended consequences.

> being passed in haste in response to witch hunt

We hear about new attacks and vulnerabilities, more credit card numbers stolen, more personal information stolen, on a weekly basis. I think we're past the point of accusing legislators of acting in a reactionary manner to an isolated incident or two should the proposition of regulation be put forward.

We hate regulation as an industry

I don't.

I don't understand. The data was leaked from March 27, 2013 to March 10, 2014, but LaCie didn't know that was happening. They found out on March 19, 2014 when the FBI told them about it. I don't see how you infer from this miss-ordered priorities for fixing the site.

I'm no expert in security, but man am I weary of using ANY Adobe product. I guess I continue to confirm that feeling every time I see one of these data breaches and its tied to Adobe products.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact