back to article Keepnet kerfuffle: Firing legal threats at bloggers did infosec biz more damage than its exposed database

UK-based infosec outfit Keepnet Labs left an 867GB database of previously compromised website login details accessible to world+dog earlier this year – then sent lawyers' letters to bloggers in a bid to erase their reports of its blunder. A contractor left the Keepnet Elasticsearch database unsecured back in March after …

  1. Saruman the White Silver badge

    I do love it when some PHB's brilliant plan to sick the legal eagles on someone falls apart.

    1. Mark 85

      That seems to be the way things have been going.

      Company screws up.

      Company gets called on it.

      Company denies they were at fault.

      Company sics the lawyers on the one who called them on it.

      Company becomes a laughing stock by IT types.

    2. a_yank_lurker

      Generally the best damage control is to thank those who discovered the problem, fix it, and depending on the scope make restitution to those directly affected.

  2. steviebuk Silver badge

    Never use them again

    We all now know to boycott Keepnet.

    Well done Keepnet, see you at the job centre soon.

  3. Blazde Silver badge

    'Streisand effect' is still the best example of the Streisand effect

    What a silly billy. She doesn't even live there any more and it still makes me chuckle every time it's mentioned.

    1. RM Myers
      FAIL

      Re: 'Streisand effect' is still the best example of the Streisand effect

      The words to "send in the clowns" kept going through my head as I read this story. Since Streisand recorded a version of the song, it just seems doubly appropriate.

  4. DavCrav

    "The 867GB database, claimed Keepnet, contained email addresses harvested from other data spillages that took place between 2013 and 2019."

    867 GB just containing e-mail addresses? That's either a terribly written database, or a lot of addresses. If there's other stuff as well in there, like PII, then I start waving GDPR at this UK-based company.

    1. diodesign (Written by Reg staff) Silver badge

      "just containing e-mail addresses?"

      FWIW Diachenko said the data silo contained:

      * hashtype (the way a password was presented: MD5/hash/plaintext etc)

      * leak date (year)

      * password (hashed, encrypted or plaintext, depending on the leak)

      * email

      * email domain

      * source of the leak (I was able to confirm a few of the most prominent ones: Adobe, Last.fm, Twitter, LinkedIn, Tumblr, VK and others).

      C.

  5. IGotOut Silver badge

    So...

    Keepnet an information security company can keep information secure.

    What a joke.

    Maybe they should just become patent trolls instead, although their lawyers seem as incompetent as the security team.

    Before Keepnet, the information not-sec team blame the contractor...

    ... WHERE THE FUCK WERE YOUR CHANGE CONTROLS?

  6. Anonymous Coward
    Anonymous Coward

    So about that EU directive...

    It's a bit of a reach, but it looks like the lawyers were trying to play on the EU's limited equivalent to DMCA, where immunity from hosting liability ends if the hoster is made aware of illegal content:

    Article 14

    Hosting

    1. Where an information society service is provided that consists of the storage of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the information stored at the request of a recipient of the service, on condition that:

    (a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or

    (b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information.

    Of course the extremely clever and magnificently competent lawyers have begged the question of content illegality by assuming it's defamatory. And they've failed to cite a proper legal basis for the reporting being defamatory. They claim it's untrue, but fail to quote any statement that is demonstrably untrue let alone one that actually appears in the post. What's the betting this was a template letter and the quoted statement appeared on some other site? Really earning those 6-minute billing increments, folks.

  7. Joe Montana

    "We then store this data in our own secure Elasticsearch database"

    This statement has proven to be false, their database was demonstrated to not be secure.

    If all it contained was a mirror of already-public data then noone would have cared anyway.

    Also what is it with hiding known insecure services behind a firewall? The service should have been configured to use a secure form of authentication first, and then placed behind a firewall as a second layer. If one layer still fails you still have others.

    1. Anonymous Coward
      Anonymous Coward

      Some people are worse even than that.

      People who, when told "it's not a good idea to put, what is intended as a LAN product, directly acessible from the internet, you should secure it", respond with "it's ok, were going to put an SSL certificate on the server".

      And these were resellers.

      Of security products.

    2. heyrick Silver badge

      The service should have been configured to [...]

      You're assuming the tech people know what they're doing. Which is more than could be said for legal, and really does make me wonder...

  8. heyrick Silver badge

    truly was exposed for just 10 minutes as Keepnet claimed

    Doesn't really matter. 10 minutes, 10 hours, 10 days...

    What matters is that it was exposed, and that it was noticed. And accessed.

    1. TonyJ

      Re: truly was exposed for just 10 minutes as Keepnet claimed

      "...

      truly was exposed for just 10 minutes as Keepnet claimed

      Doesn't really matter. 10 minutes, 10 hours, 10 days...

      What matters is that it was exposed, and that it was noticed. And accessed..."

      Quite. "I am sorry I murdered you but at least it was a quick death!." Still dead.

  9. Robert Jenkins

    On the subject of GDPR - how is that database content in any way legal?

    OK, the the leaked database contains other peoples information.

    How can a company legally retain data that was never legally released to them or its use authorised by the people who it relates to?

    Anyone want to play "Spot the GDPR Brteaches?

    https://gdpr.eu/article-6-how-to-process-personal-data-legally/

    https://gdpr.eu/article-7-how-to-get-consent-to-collect-personal-data/

    Have they contacted every single person whos data is involved?

    https://gdpr.eu/article-14-personal-data-not-obtained-from-data-subject/

    https://gdpr.eu/article-15-right-of-access/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon