I’m no lawyer, but wouldn’t that basically open them up to an instant win for anyone who files lawsuits against them?
Comment on Plex got hacked.
phoenixz@lemmy.ca 2 weeks ago
I hate the tone companies always use with this
Some evil guys did something to us, it happened to us, and there was nothing we could have done to prevent it, but we were so quick to respond and stop it!
Aka, you fucked up with your security. Could you just once admit that?
b34k@lemmy.world 2 weeks ago
phoenixz@lemmy.ca 2 weeks ago
I’m sure it does, but had they done their security right it likely wouldn’t have happened.
Yeah, 100% secure doesn’t exist but at the same time it’s always closed source companies like these that turn out to have horrible software security. Can’t say for sure of course, but at this point it’s a safe bet
Smoogs@lemmy.world 2 weeks ago
Yes and no. hacking isn’t new. Everyone could get sued technically for security breaches for not taking enough interest in their own security.
But then it’s ridiculous if you could sue your own grandma cuz you once used her computer to print your resume and because she uses default passwords now someone has all your info you had from anything you left behind.
Ransom and hacking is pretty common unfortunately in the industry. And it is in part on the user to also take practices to protect themselves if they haven’t enabled 2F yet. And there’s way more you can do where you make email masks now and simply do not fill in with your accurate information like don’t use your real name.and use a VPN. Store stuff on ext drives and less on clouds that don’t use e2e encryption
I don’t know if it’s perfect but as a user just always have it back in your mind that your information can be obtained(if you ever used a web service to check your info on the dark web, this is pretty much going to be a given) . And it probably has. So maybe at least you can try to control what gets obtained.
AA5B@lemmy.world 2 weeks ago
In some ways 2fa is a weak spot even disregarding recovery processes being open to social engineering, now you’re giving a verified identifier uniquely tied to you
I generate unique email addresses and passwords for every account but can’t realistically do that with phone numbers
2fa by sms or voice isn’t especially secure anyway since you’re open to sim attacks and social engineering. I have a lot more hope for Passkeys but don’t really trust the practical advice arts of managing them yet
Smoogs@lemmy.world 2 weeks ago
…second phone number…
Anyways… we are digressing here,
at this point it’s a lot like protecting anything in life: prevention and making yourself less tasty to a psycho.
If you’ve set it even two step You’re already doing way more than any user they are probably intending this warning to do more to protect themselves who set their password to “password” or phrases haven’t changed it in decades and would even prefer to publicly post their passwords on social willing to give up their entire savings rather than having to do anything further as if technology is too beyond and suddenly so super complex that they have to use different keys on their keyboard other than letters.
You don’t have apply every threat like it’s calculus in a situation where there are people who are scared of even doing basic sums.
This situation was hashtags. Literally. And all they are asking is to rehash it. And here you are already disposing of the 2nd feature after that.
postmateDumbass@lemmy.world 2 weeks ago
Depends on how good the lawyers were that wrote the thing you said you read when signing up.
Eezyville@sh.itjust.works 2 weeks ago
No one is safe from hackers. Everyone and every company will get hacked, it’s unavailable. What matters is how they react to the inevitable because that’s how best practices are made.
phoenixz@lemmy.ca 2 weeks ago
Eh, sorry, no.
Yeah, it is extremely hard to make something impenetrable, but claiming blanket everyone will be hacked is nonsense too.
If a company does IT well it will very unlikely fall victim as they’ll be a very hard target and not worth the time and money.
When a company comes out with that they’ve been hacked you can bet dollars to donuts that they’ve neglected their IT department and infrastructure because the very vast majority of cases have shown that problem
Eezyville@sh.itjust.works 2 weeks ago
I disagree. The weakest point in any and all organizations are the people who work for them. You can have the best IT infrastructure all you want but you cannot escape human error because we are not perfect and, by extension, anything we create is not perfect. Everyone will get hacked, don’t ever think you’re too perfect or you’re in so much control that you are immune.
Everyday0764@lemmy.zip 2 weeks ago
i had to argue with some friends that when a breach happen and the company did not do everything in they’re power to prevent it, then it is the company’s fault.
They argued that bad actor should never do bad things, even it they are at hands reach.
If a company exposes an s3 bucket with clients data publicly, the company is 100% at fault if someone discovers it and sell the data. ofc the guy would be liable too.
phoenixz@lemmy.ca 2 weeks ago
That’s like arguing that if a bank takes my gold to put in a security deposit box but then puts that box open out in the street. Of course the bank would be responsible for the theft.
AnUnusualRelic@lemmy.world 2 weeks ago
It was securedly hashed! We used ROT13! Twice!
hodgepodgin@lemmy.zip 2 weeks ago
It’s possible to use salts, peppers, and password lengthening algorithms that repeatedly hash a password like 100,000 times. So yes, it’s possible to do so securely.
AnUnusualRelic@lemmy.world 2 weeks ago
Ok, but what if it’s only hashed 80 000 times? Should I sue my provider?
phoenixz@lemmy.ca 2 weeks ago
Hah! Amateurs… I XOR all my passwords twice like real hackers do.
korazail@lemmy.myserv.one 2 weeks ago
I understand what you are saying, and what you want… but admitting fault publicly is a huge liability, as they have then stated it was their negligence that caused the issue. (bear with me and read this wall of text – or skip to the last paragraph)
I’ve worked in the Sec Ops space, and it’s an arms race all the time. There are tools to help identify issues and breaches quickly, but the attack surface is just not something that can be managed 100%. Even if you know there is a problem, you probably have to send an issue to a developer team to update their dependency and then they might need to change their code as well and get a code review approved and get a window to promote to production. A Zero-Day vulnerability is not something you can anticipate.
You’ve seen the XKCD of the software stack where a tiny peg is propping up the whole thing? The same idea applies to security, but the tiny peg is a supply chain attack where some dependency is either vulnerable, or attacked by malicious actors and through that gain access to your environment.
Maybe your developers leverage WidgetX1Z library for their app, and the WidgetX1Z library just updated with a change-log that looks reasonable, but the new code has a backdoor that allows an attacker to compromise your developers computer. They now have a foothold in your environment even with rigorous controls. I’ve yet to meet a developer who didn’t need, or at least want, full admin rights on their box. You now have an attacker with local admin inside your network. They might trip alarms, but by then the damage might be done and they were able to harvest the dev database of user accounts and send it back home. That dev database was probably a time-delayed copy of prod, so that the developer could be entirely sure there were no negative impacts of their changes.
I’m not saying this is what happened to Plex, but the idea that modern companies even CAN fully control the data they have is crazy. Unless you are doing full code reviews of all third-party libraries and changes or writing everything in-house (which would be insane), with infallible review, you cannot fully protect against a breach. And even then I’m not sure.
The real threat here is what data do companies collect about us? If all they have is a username, password and company-specific data, then the impact of a breach is not that big – you, as a consumer, should not re-use a password. When they collect tons of other information about us such as age, race, location, gender, sex, orientation, habits, preferences, contacts, partners, politics, etc, then those details become available for anyone willing to pay. We should use breach notifications like this to push for stronger data laws that prevent companies from collecting, storing, buying or selling personal data about their customers. It is literally impossible for a company to fully protect that information, so it should not be allowed.
AA5B@lemmy.world 2 weeks ago
A great place to start is data privacy laws. If they don’t collect unnecessary PII, it can’t be exposed.
But yes, companies need to face more liability. While it’s true that no one is inhackable - you’d need to be perfect everywhere all the time and the bad guys only need one break to succeed - there are best practices that make it a lot more unlikely. If you as a company have been hacked and you’re not taking good care of your customers data, you should be liable for carelessness. Admittedly following good data security practices can be expensive but that’s why there should be consequences for those who cut corners
korazail@lemmy.myserv.one 2 weeks ago
I fully agree: Companies and their leadership should be held accountable when they cut corners and disregard customer data security. The ideal solution would be that a company is required to not store any information beyond what is required to provide the service, a la GDPR, but with a much stricter limit. I would put “marketing” outside that boundary. As a youtube user, you need literally nothing, maybe a username and password to retain history and inferred preferences, but trying to collect info about me should be punished. If your company can’t survive without targeted content, your company should not survive.
In bygone days, your car’s manufacturer didn’t know anything about you and we still bought cars. Not to start a whole new thread, but this ties in to right-to-repair and subscriptions for features as well. I did not buy a license to the car, I bought the fucking car; a license to use the car is called a lease.