Jewelry Site Leaks Personal Details, Plaintext Passwords of 1.3 Million Users (thenextweb.com) 37
Chicago-based MBM Company's jewelry brand Limoges Jewelry has accidentally leaked the personal information for over 1.3 million people. This includes addresses, zip-codes, e-mail addresses, and IP addresses. The Germany security firm Kromtech Security, which found the leak via an unsecured Amazon S3 storage bucket, also claims the database contained plaintext passwords. The Next Web reports: In a press release, Kromtech Security's head of communicationis, Bob Diachenko, said: "Passwords were stored in the plain text, which is great negligence [sic], taking into account the problem with many users re-using passwords for multiple accounts, including email accounts." The [MSSQL database] backup file was named "MBMWEB_backup_2018_01_13_003008_2864410.bak," which suggests the file was created on January 13, 2018. It's believed to contain current information about the company's customers. Records held in the database have dates reaching as far back as 2000. The latest records are from the start of this year. Other records held in the database include internal mailing lists, promo-codes, and item orders, which leads Kromtech to believe that this could be the primary customer database for the company. Diachenko says there's no evidence a malicious third-party has accessed the dump, but that "that does not mean that nobody [has] accessed the data."
webshit gonna webshit (Score:2, Insightful)
Hashing passwords isn't new. So why are people still storing plaintext passwords?
"We just want a webshop" -- Yeah but you're selling expensive luxury goods. That makes addresses of buyers very interesting, don't you think? WHY EVEN KEEP THAT DATA ONLINE?!?
What were you thinking? "We just want a webshop." Right. You were not thinking, nor were the webmonkeys you hired for your webshit. Congratulations, you done leaked, and now your customers' data is all over the place.
lot's of apps put DB passwords in plaintext is con (Score:2)
lot's of apps put DB passwords in plaintext is config files
Re: (Score:2)
Hashing passwords isn't new. So why are people still storing plaintext passwords?
Hashing passwords doesn't work. That so many are STILL advocating demonstrably worthless course of action scares me more than the revelations of this jewelry site.
Simple truth is passwords chosen by mortals have insufficient entropy to stand on their own regardless of salts, amplifiers, hash algorithm or wishful thinking (e.g. password policy and training). I don't care if these things make it thousands or millions of times harder in practice. With 1.3 million users the outcome is still comically unacce
IANAL (Score:1)
But the phrase gross criminal negligence come to mind.
In an ideal world, wanton disregard of decades old security standards should land executives with some fines and possible jail time. For a criminal case, some kind of applicable statute would have to be dug up.
For a civil case, that's way easier. You have to show that it is likely (really a >50% chance) that their actions, negligence or policties lead to some damages. Nobody goes to jail. But some lawyers can get rich settling a million dollar class a
Re: (Score:2)
Yep, plain-text passwords... damn, the level of incompetence that could lead someone to believing this is acceptable these days must be really something. This is not the year 2000 (the probable age of this system), where you might expect a few less-than-competent people haven't gotten the word on best industry practices. This isn't even storing password hashes with outdated crypto and without salt. If the report as implied is accurate, this is pants-on-head level stupidity. You really can't explain your
Re: (Score:2)
executives control company processes. They hire the people that hire the people that look after the people who make bad design choices.
What is key, is if someone at the top knows of an issue and at that point chooses not to correct it.
What you likely can't do is punish an low-level individual contributor for being incompetent, beyond the obvious of firing them. The responsibility lands on a company to audit their architecture, and correct mistakes. If you have no process in place to check that your security
As long as there are no repercussions (Score:2, Interesting)
... incompetence and gross negligence on this (admittedly extreme) level will remain common. My suggestion: Immediate payout of $500 to anybody affected, and full cost to anybody that can prove they suffered more damage. If they cannot pay, CEO goes to prison for a few years and has personal fortune impounded. This will lead to companies having insurance for this and insurers taking a critical look at their practices.
Re: (Score:2)
Besides can't people sue over breach of contract under the privacy policy and terms of use already? Looking at the agreements it seems a fairly straightforward breach of;
"Limogés Jewelry collects information that you volunteer in order to process your order, to inform you of special offers, and so that you may receive superior customer service. We do not share your e-mail address with anyone outs
Re: (Score:2)
My suggestion: Immediate payout of $500 to anybody affected
You need to get a grip on reality. A quick Google search says Limoges Jewelry has annual revenue $7.5M. Let's say they have a 10% net profit (unlikely to be that high). That gives them $750k in available cashflow. So for the 1.3M affected, that is 57 cents each. Metered first class mail costs 46 cents, plus 5 cent for the envelope and check, and that leaves 6 cents. If you really think that $500 per person is realistic, you need to explain where the other 99.9% of the money is going to come from.
Purposely leaked to gov't surveillance (Score:1)
This is how companies participate in the mass surveillance program.
They 'accidentally' leave all of there customer's info in an unsecured location and pretend it was a snafu.
This has been happening A LOT. And no one is learning anything from all these stories?
The system is trying to appeal to your good, trusting, forgiving nature. Do not fall for it.
There is a war being waged against every single one of us by the people sworn to protect us.
As the ad slogan says (Score:2)
Now you have 1.3 million friends in the diamond business!
Make it a crime. (Score:2)
It should be a crime to store plaintext passwords for users on any web site where the public can create ids. There is no reason for it and it's been decades since it was an unacceptable practice on any computer system.
Of course, once it's a crime, civil liability follows.
Safe in the cloud... (Score:2)
Mariners and pilots have known for a long time what clouds mean - DANGER!
Where was this file found? In the "safety" of the cloud, along with hundreds of thousands of other sensitive files placed there for "safety".
.HTACCESS File (Score:2)
htaccess file to stop some of these silly mistakes (Score:1)
Some good gems in the .htaccess file downloadable from here [initializr.com] Of particular interest might be this section to block access to files that end in certain extensions.
https://pastebin.com/16Xn1gSs [pastebin.com]
htaccess (Score:1)
Some good gems in the .htaccess file downloadable from here [initializr.com] Of particular interest might be this section to block access to files that end in certain extensions.
https://pastebin.com/16Xn1gSs [pastebin.com]
it's 2018 (Score:2)
clear text passwords and unprotected databases, we have learned nothing.
and these things are not even difficult or expensive to implement - there is no excuse here.
Microsoft SQL - Encryption not enabled? (Score:2)
Obviously storing passwords in plain-text is frowned upon. To protect the database and backups you can enable encryption which is really easy to do in the SQL admin tool. This way everything is protected. I'd still use HASH and SALT for storing passwords.
Still cheaper to leak than secure (Score:2)
A couple million bribe to the lawyers of the class action suit, vouchers for 20% discount to the ones affected by the leak. Heck, the company might MAKE money on the deal.
As long as there are no repercussions at all for leaking data, there will be no incentive for securing data.
Storing unhashed passwords in a database means that there will be a major leak, guaranteed. That should be just as illegal as intentionally giving customer details away for money. There needs to be criminal penalties not just civil o
Didn't know what they didn't know (Score:2)
[sic]? it's fine, negligence is a noun (Score:2)
In law "very great negligence" is a lesser used but equivalent term to "gross negligence".
Research before [sic]ing.