Let’s clarify this title a little. White hat hacker found a way to see the poorly secured database containing said info. It hasn’t been stolen or found on the web, so it wasn’t “leaked” publicly in the sense that it was deliberately made available.
I once had a professional licence that required me to register a whole bunch of personal info to a government website. I used a password generator to create a 32 character password when creating my account.
I tried to login after creating my account but my password wouldn’t work. I hit “forgot my password” and got my password emailed to me in plain text. That alone was worrisome but then I realized my password wasnt working because they truncated it to 8 characters, which I’m assuming is the maximum password length.
I emailed their tech support about my concerns and they emailed back asking if I needed help to login. I said no, I had concerns over security and I never got a reply back. Every few months I’d hit “forgot my password” to see if anything changed. I always got my password emailed to me in plaintext.
Why in the hell are government and bank logins literally the least secure logins I have??
My bank doesn’t let you set an actual password, only a 6 digit pin, and the only 2FA available is SMS codes. I have better security on Lemmy than I do for my fuckin’ financial institution!
They’re downplaying their responsibility and the problem while taking a negative tone about the white hat (bold added):
CUSG was notified of this vulnerability by Jeremiah Fowler, a self-acclaimed “researcher” who appears to access corporate systems to expose vulnerabilities, then notifies the organizations regarding their exposure. At least in the case of this incident, he also requested a “bounty” to help fund his research, and then published the information in his blog which was later picked up by a specialized publication called, “HACK READ.” These posts can then be google-searched by other parties including media outlets. CUSG did not agree to pay the requested “bounty.”
CUSG was in the process of gathering information and preparing a client communication when news of this publication broke. Nowhere in the article is an actual breach alleged. In fact, after exaggerating the incident to readers in an effort to sell their products, even the HACK READ article and Mr. Fowler’s personal blog post point out that the identified vulnerability was secured and rectified “on the same day.” […] In his Website Planet blog, Mr. Fowler has done similar “research/publication” work regarding scores of companies including Software Projects, Australian travel agency Inspiring Vacations, the America Family Law Center, Redcliffe Labs, Deutsche Bank, retailer Hendel Hogar, and numerous others. Again, the motivation seems to be to raise awareness, but also to benefit Mr. Fowler personally in his career as a researcher, writer, and speaker.
CUSG CEO Dave Adams, summarized this incident this way: “While researchers like Mr. Fowler can help remind us of the importance of good data security, the publication of his findings in ways that potentially disparage corporate brands, create a customer “call to action”, and exaggerate the facts is clearly irresponsible and could place him and others at legal risk if their hacked data ends up being mishandled.”
And of course, the obligatory ‘we have an excellent security team, everyone faces threats, you can’t blame us’:
Continuing, Adams expressed confidence in CUSG’s Internal Technology security: “For over 30 years, CUSG has operated with the same experienced technology team and leadership that has a stellar reputation for managing IT security on behalf of its stakeholders. While all companies are exposed to the ever-growing threats of cyber-security, and ransomware, CUSG’s team constantly monitors vulnerabilities and makes corrections immediately as needed and then reports to stakeholders with transparency.”
Basically the standard “we take security seriously”:
https://www.troyhunt.com/we-take-security-seriously-otherwise/
“We take security seriously”, otherwise known as “We didn’t take it seriously enough”
As a non-participating visitor of security forums (which bleed into malicious hackers), I am looking forward to the popcorn.
Right now, my job post bug bounties and hackers pen test and find vulnerabilities. And there’s a LOT of money flowing around in that space - my company alone has paid out over 7-figures collectively. A company’s reputation to honoring the agreement is also sacred. Because if we fail to pay or reject that this is a real vulnerability, our rep tanks and the next time there’s a vulnerability, it won’t be reported, but abused.
CUSG just signalled that they are pieces of shit to the hacker community. And I’m gonna bet they are going to get some serious shit now.
🍿
They aren’t sure yet if someone else found it first. If a smart person found it first they could sell it piecemeal to make it harder to know where it came from. Each identity isn’t worth much but that’s a lot. Combine that with the password stuffing capability from a plain text password list and there’s…
If you ever, ever store passwords in plain text instead of hashed and salted your business should be shut down. Thats below even Security 101 level, and shows a critical carelessness for user data.
When we’re find things like this, unless we have exact audit logs proving there was no misuse, we assume it was misused because that’s the only sane way to do it.
If it turns out they have excellent logging (hah) maybe they can prove it, let’s hope so for the affected people’s sake.
plaintext passwords
They should lose their business license for this. Back when I was a wet-behind-the-ears web developer building apps on the production server I knew not to do something like this.
Sigh, here we go again
