* cough *
"The company claimed none of the data, part of the trove put up for sale in the Dream Market cybersouk, had been misused..."
Armor Games (AG) has confirmed that 100 per cent of its users were caught up in February's mega-leak that saw the details of 617 million online accounts hacked from 16 hacked websites being sold on the dark web. As exclusively revealed by The Register last month, the haul included account databases for Dubsmash (162 million), …
"and information about our password protection processes at the time (including the password salt)"
Hashed passwords: check
Salts used: check
Same salt for all password: FAIL!
So still only a few $ spent on Amazon to break into a high percentage of those accounts.
Does that still really rate as "better than clear text passwords"?
Surely theres a markett opportunity here for all the numerous security bods to buld a protective template for customers. Out of the box protection.
You know just basic shit:
- we won't store your CCN (even thoough ts more convenient for you if we did)
- We'lll cross check the email password combo you tried to use against known hacked combos and warn you if you are using a hhacked combo and disallow it
- We won't store your DoB anywhere associated with any other details (realising that companies marketing depts need the age profile of their customers to operate but that it doesn't need to be connected to the actual customers other data)
Theres more but I'm hungry and its late. Sick to death of everyone tryiing to reinvent thiis stuff. It really shouldn't be this hard.
realising that companies marketing depts
need want the age profile of their customers to operate
The only thing they need a DoB for is if there's some need for an age verification. Even then "over 18" or whatever should be sufficient. Anyway, how are they going to verify the DoB supplied?
Perhaps a useful addition to KeepassX would be a DoB field alongside the other fields and a DoB generator to ensure that all DoBs supplied for a given user are unique.
"Perhaps a useful addition to KeepassX would be a DoB field alongside the other fields and a DoB generator to ensure that all DoBs supplied for a given user are unique."
OK, it sounded good inprinciple, but then what about the sites that cross-link with e.g. every page having little blue pils with an f in them, sites which then deny all responsibility for misuse of the collected and cross linked slurped ata (not that I'm looking at El Reg here, oh no).
If the slurped DoB entries don't match, then what? Maybe I've misunderstood?
Who cares about privacy policies, the corporate slurpers clearly don't feel any need to obey the law.
>Thankfully, the data haul did not include first or last names, credit card data, addresses or phone numbers. But only because AG didn't hold that information in the database.
Whatever else they messed up, at least they got that right. If you don’t have it, you don’t need to protect it. A good reason to use external payment providers, IMHO.
Biting the hand that feeds IT © 1998–2020