Comment on The Discord Breach Might Be Worse Than We Thought, As The Hacker Is Said To Have Two Million Age Verification Photos

<- View Parent
AmbitiousProcess@piefed.social ⁨15⁩ ⁨hours⁩ ago

In my opinion, they’re still somewhat at fault, because this was them failing to find and configure their software to work with a third-party identity provider who’s infrastructure was built to handle the security of sensitive information, and just choosing to use email through Zendesk because it was easier in the meantime. A platform that I should note has been routinely accessed again and again by attackers, not just for Discord, but for all sorts of other companies.

The main problem is that legislation like the Online Safety Act require some privacy protections, like not collecting or storing certain data unless necessary, but they don’t require any particular security measures to be in place. This means that, theoretically, nothing stops a company from passing your ID to their servers in cleartext, for example.

Now compare this to industries like the credit card industry, where they created PCI DSS, which mandates specific security practices. This is why you don’t often see breaches of any card networks or issuers themselves, and why most fraud is external to the systems that actually process payments through these cards. (e.g. phishing attacks that get your card info, or a store that has your card info already getting hacked)

This is a HUGE oversight, and one that will lead to things like this happening over and over unless it becomes unprofitable for companies to not care.

source
Sort:hotnewtop