For years, I've been trying my best to stay low-key when it comes to my personal information on the internet. I don't create new accounts, I never cross-login with my email address, I don't use phones. Certainly not perfect, but a lot of times I'm preferring privacy over convenience.
At the same time, my government and society at large is pushing more and more for "digital everything". It's great when it works. But to me, every new service translates to a new opportunity for my data to be leaked.
I think one reason why we're still seeing so many breaches is that security is hard and thus expensive - and on the other hand, other than customer push-back, companies or other providers have pretty much nothing to worry about when their data gets extorted. To me, this is impossible. When I give my private data to them, I'm giving them something very valuable. If being careless with that value basically has no consequences, the incentives to care are low.
We need to establish measures of accountability for data holders. Not securing customer data appropriately needs to be persecutable, and the affected parties need to be given a right for compensation. Of course, that's not going to happen. It would be difficult to implement in practice, if at all possible. But as long as there is no monetary incentive for data holders to be as careful as possible, the laxness is going to continue.
>We need to establish measures of accountability for data holders. Not securing customer data appropriately needs to be persecutable, and the affected parties need to be given a right for compensation.
The ultimate entity that could hold businesses accountable is the government but the government itself is careless with citizens' private data.
My "compensation" for my data being leaked was 1 year of free credit monitoring. But obviously, criminals interested in identity theft will continue their attacks after 1 year.
As far as persecution/prosecution, I suppose Katherine Archuleta, the director of OPM, and the CIO, Donna Seymour ... could have been put in prison as punishment instead of just resigning. I don't think that would change anything. There will still be future scenarios where governments want more collection of private data. Flock cameras, TSA airport scans, internet access age-verification face scans, etc.
Katherine Archuleta and Donna Seymour aren't writing code or administering online systems. I'm sure their organizations have security policies and standards, why not put the devs and sysadmins in prison if they didn't follow them?
I think that what we're seeing is evidence that humans, in general, are not capable of securely delivering the kinds of online services that they are trying to deliver. It's just too complicated, and while defenses have to be perfect, attacks only have to work occasionally to be worth doing.
Edit: not that we shouldn't expect best efforts, and financial liability for organizational failures. Prison maybe for clear proven negligence or intentional sabotage, but for mistakes? Nobody will write software anymore. When is the last time you wrote even a screenful of code without a mistake?
This is bit too far to put onus on devs for security and the comparison is more like apples to oranges with other regular licensed engineers. It hard to justify ROI on Security, if anything it makes it harder to roll out features with more traction.
In the absence of any fine, most companies are comfortable with bit of reputation damage.
When the Minneapolis bridge collapsed there were no criminal charges involved. HN has this obsession with "licensed engineers" as if it completely prevents catastrophe and holds people to the highest standards. It's just a dog and pony show.
It’s a double whammy in places like India where “digital push” means everything is based on your mobile number with worst of safety and regulation the planet has to offer. Push is 100%, safeguards zero (if not negative).
What makes it even worse is every policy and regulation push is just talk on paper and even it succeeds and comes in effect, it essentially stays at where it was — zero power to the people, zero accountability to others, and negative punishment to the offenders (they are not even considered offenders). There are no legal frameworks like a class action lawsuit either. As in, when you look beyond “paper regulators” (and won’t have to look hard) there is nothing at all, practically speaking.
The thing is you can’t fight it, and you really can’t opt out. Not here. It feels kafkaesque, you don’t even speak up because 90% or more of your compatriots will wonder what the hell you are on about, if you are lucky enough to be not labelled an anti-national.
The issue is how easy computers make everything, and how well processes scale with computers. Back in the day to heist data you'd have to physically break in or infiltrate, rummage through files, copy them somehow or just straight up take them. In a briefcase?? How many files can you exfiltrate per day like that?
But on a database it's practically a matter of running a copy command and uploading it or exfiltrating it. And there will always be software vulnerabilities.
Computer processes have no inherent rate limiter to them, and they even allow you to run stuff from a distance.
It all comes down to where the boundary for data access is implemented, and how strictly.
If your webapp has unfettered database access then don't be surprised if it is hacked and someone can do `select * from users` and then posts that dump somewhere.
The attack surface changes if your webapp can only do a REST call to pull a single user record at a time. That way you can put some auditing in, you can put rate limiting in to detect that, etc.
Obviously the user record REST api endpoint is still vulnerable, but it's a much smaller attack surface, easier to audit, and can be monitored a lot more closely.
Yes, ultimately, there will still be a set of vulnerable humans that have access to the database servers themselves and they can always walk out of the place with an SD card hidden in a Rubik's cube but there has to be an element of trust somewhere.
The problem is that too many people put that trust boundary way too far out into the big bad Internet. Or don't even consider it at all and just rely on the fact that other targets are more appealing.
We need to attach actual monetary amounts to PII. If a company loses the data they owe you that money. The money is increased based on how and if they disclosed the leak. Lying about a leak should be a criminal offense.
This would would allow engineers to better be able to prioritize security, which typically gets ignored or put low in priority.
Wow, I've not heard this idea before and I think it is very interesting! How would you set this amount though? Does the company/user/government set it? Would the same data have different amounts depending on the company?
How would that system handle users with multiple accounts?
I think we should exempt this from double-jeopardy: the fines are considered purely-punitive, and are in addition to any civil or criminal penalty issued by the courts. This will help ensure that organisations can't just price data breaches in to "move fast and break things" and have no further liability, and that people who've experienced damages much greater than the standard fine don't lose their chance to get suitable compensation.
If a business legitimately needs such information to operate, isn't it borderline impossible to 100% prevent it from leaking? If the data is there, it can be compromised either by technical means or non-technical means.
The primary issues in my opinion are (1) businesses collecting and holding on to information they don't need and (2) businesses getting so large that they become prime targets by default.
In a world where pointless data collection was disincentivized and there were many small businesses instead of a few large ones, this problem would be much more localized and addressable. But of course this is a dream within a dream.
I'd also add a third issue to this list: data retention. Too many companies I've dealt with have privacy policies that state something to the tune of "we'll hold onto your data for as long as required" without giving much of an explanation as to how long "as required" is.
Which usually means until the financial incentives to remove the data outweigh the incentives to keep the data. Data is more valuable than database storage costs, thus there is no incentive to remove the data. Policies should therefore be in place to punish unnecesary data retention.
There is a vast difference between it not being 100% impossible and data holders not doing the absolute basics to keep it safe.
I could imagine if, after a data breach, there was a government-run cyber investigative task force that would come into an organization, and be tasked with investigating and fully understanding the nature of the breach. We already have forensic detectives for other crimes, why not this one?
And if it turns out that the failure occurred due to the company acting negligently, a la (whoopsie all the records were in an open S3 bucket) then humans would be found personally liable.
--
But in principle, i also agree with the other causes you list. These are very much what GDPR was aimed at improving. It really is a shame when you look at what GDPR could have accomplished if not for malicious compliance by American tech giants, and shitty enforcement (instigated by American tech giants)
It doesn't even need to be government-run, we just need the right incentives. I've seen proposals for making some kind of data loss insurance mandatory to compensate victims. The insurance companies would then conduct audits which determine the premiums for the company, and investigate for negligence after a breach.
Edit: Thinking more about it, this would probably also be positive for security investigators. If a company is stonewalling you and ignoring a legitimate bug report, you now have the option to escalate this to the insurer. Maybe they could even facilitate bug bounty programs for smaller companies
I've had a similar thought in the past. I was thinking about the feasibility of a law being introduced where each company making over a certain amount of money per year must begin a VDP (and optionally a BBP) so that security flaws can be reported to them easily. This can easily be done by simply opening up security@companydomain and using security.txt (https://securitytxt.org). Reports must receive a response in N days, where N is calculated based on available staff, resource allocation, and revenue of the company. If they don't receive a response after N days, this can be escalated to some government agency which can take action against the company for failing to respond to a report on time.
> . I don't create new accounts, I never cross-login with my email address
I honestly tend to think this is the only viable long term strategy.
Let's face it: In a truly global internet where every single forum or website is hosted in a different country with a different jurisdiction, hoping that every single actor will act responsibly is just delusional.
It is not what we see. It is not happening and it is not going to happen.
Individual need to have right to online privacy.
That's means the right to get proxy email address, proxy phone number, proxy physical address and even proxy identity (first name/family name).
The sooner the governments will accept that, the better.
If done right, it is not incompatible with a system where identities can be reconstructed by the authorities for legal actions.
If nothing is done, scams and blackmails will continue to spread like bushfire and proxies anonymity will happen anyway outside of any control.
Is the alternative just accepting that my data is out there? Even if I never used any online service, there are databases out there with my information anyway.
Just figure anything online that you aren't securing yourself is compromised. Minimize the effect that has on your life. Identify theft is annoying, but it rarely has severe effects.
You will have to go out of your way to be truly anonymous online, and it might be impossible if you aren't tech savvy enough. Otherwise, just assume everything you do online is public and act accordingly.
> Identify theft is annoying, but it rarely has severe effects.
I disagree. It has already severe effects.
- The fact we are facing so many data leaks made easy for malicious agent to cross and mix data sources and setup much more evolved and convincing scam scheme.
It is now trivial to get name, address, birthday and phone number from a data leak and crossed check that with the login id (email) used for lets say, a financial service and setup a convincing phone scam on that.
Many dubious actors are already doing that. One acquaintance of mine (working in ITsec ironically) got trapped by this exact scheme last week.
- It is trivial to harvest data leaks for online telemarketing, robot calls and any other abusing commercial practices.
- We are heading to a situation where any wierdo or/and stalker with a bit of tech knowhow can rather trivially extract a physical address out of an online profile. That is a giant opened door for harassment and physical insecurity for the most vulnerable of us.
Thats not just "nerd concerns" and the strategy "everything you do online is public" does not work. Many website will request my personal physical address for trivial matters like billing or delivery. That can not under any mean be considered public data.
> Many website will request my personal physical address for trivial matters like billing or delivery. That can not under any mean be considered public data.
I just don't buy things online, and avoid anyone having my physical address that way.
Sadly, the ubiquity of terrible 2FA means at least some companies have my phone number, though.
None of these things have historically been considered private information. There's zero reason that knowledge of any or all of this should be considered adequate or even relevant to proving identity.
> Many website will request my personal physical address for trivial matters like billing or delivery.
Some will even require it for no actual reason at all.
Do I need to give my living address when I buy a sandwich? Then why would I need to when buying an online service?
Similarly, fast foods nearly all have these automated kiosques. They don’t need any info. So why do they require an email address when ordering to the table through the app, while in the restaurant?
They don’t need them. They just demand them because they can and everyone online is used to giving them without a second thought.
I can’t wait for personal data to become digital radioactive waste.
> Otherwise, just assume everything you do online is public and act accordingly.
This is such a depressing reality. It's also what governments want you to believe. If you aren't able to speak your mind about anything anonymously, then you won't be able to, say, spread ideas that go against them.
Admitting defeat at all and not even trying to teach people about privacy results in the "I don't care, what's the point?" attitude that plagues many people today.
> If done right, it is not incompatible with a system where identities can be reconstructed by the authorities for legal actions.
Doing it right is exactly the thing that makes this impossible. If instead you give everyone a unique barcode that every other pseudonym can be tied back to, do you really think that database will never be breached? It would become the prime target for all attackers in the world.
Meanwhile reconstructing "identities" is the least valuable thing to doing law enforcement well, because the first thing criminals will do is use someone else's identity, and then tying something to the wrong identity isn't just useless, it's actively counterproductive. The thing you need is not centralized identity but proper investigations that can tie some activity to the person pulling the strings regardless of whose name they're using.
The thing centralized identity does is precisely the opposite -- it leads you to person associated with a name, often the wrong person. You want to get the person offering to do murder for hire to think they have a contract and show up somewhere you can arrest them regardless of whether you know their name, not to convict the person whose identity they stole.
> Doing it right is exactly the thing that makes this impossible. [...] do you really think that database will never be breached? It would become the prime target for all attackers in the world.
Critical data is always better in the hand of a few (trustable) than in the hands of many.
That is currently the exact reason why you are using Paypal instead of giving your credit card number to everybody.
That is the exact reason why you are using a password manager.
A lot about security is about who you trust, and for how long.
I don't use Paypal. My credit cards protect me from fraud. And it rarely happens. In fact it's been well over a decade since I had a fraudulent charge on any of my payment cards. Funny how when there's motivation, protection happens.
Your credit card protect you against nothing. Reimbursement in case of fraud is not fraud protection, it is just bare minimal customer service.
In fact, the first thing your bank will do when your credit card number has been leaked and was used for a fraud... is to replace your credit card.
Because they know that, when the number is in the wild, it will happen again. The system is inherently insecure in case of dataleak.
Visa and Mastercard spent decades and millions constructing systems like "3D secure" supposed to protect again that by enforcing external authentication factors. But since the system is not enforced in every country, it is still a problem today.
So at the risk of sounding incredibly apathetic toward something that I'm sure is probably a massive headache for some people somewhere...
I'm a millennial and I've been told probably hundreds of times by this point in my life that my data has been breached. Not a single one of those times was there a) anything truly actionable for me to do about it[0] or b) a single negative impact to my actual life. In anyway. At all.
People were talking about the Equifax breach a decade ago like identity theft was going to become an absolutely routine part of daily life for +90% of people. That didn't happen, at least not for me.
My point is: I understand that this is a topic that nerd communities like HN are well-aligned on—data collection bad, data breach bad, I get it. But does it actually matter?
Every single one of us have had our data harvested by tech giants every second of every day for absolutely decades and neither I nor a single person I know in real life have ever had any negative consequences, either because of the collection itself or from the inevitable and seemingly continuous breaching of that data. Every single website, from the random indie shoe website I purchased from one time to multiple health insurance companies, have breached my data, over the span of decades, and from all appearances it has had absolutely zero effect that I can actually point to in real actual life.
So I'm becoming a bit of a skeptic on this item of quasi-religious dogma that y'all all seem to recite the same position on. Does the emperor perhaps have no clothes? Do we all just fear "data breaches" because we've been told to fear them by people who sounded smarter than us?
I need y'all to hit me with some scary anecdata about what happened to your hairdresser's cousin's ex-husband's dog—anecdata with no citation that I obviously can't even verify isn't hallucinated by a GPT, but should clearly accept as valid because "ooooh data breach bad"—because without that the propaganda patina on my brain is wearing a little thin.
[0] (I use a password manager to guarantee that I'm not sharing passwords between logins, so really the only thing I could do in response to a data breach disclosure is rotate the password on the breached account. But that only matters if they were storing my password in plaintext right? I certainly can't do anything about my data being out there, and it's too late for closing that account out to prevent anything.)
> I use a password manager to guarantee that I'm not sharing passwords between logins
This already makes your digital hygiene better than at least 70% of the population if not more. I don't have the link off the top of my head but I vaguely recall some survey or article put out by bitwarden that nearly 70% of folks re-use the same password for everything.
A surprising number of those little services do store passwords in plain text, and that's where the risk comes from. So you're right, you and anyone else remotely tech savvy that is smart enough to not re-use passwords is unlikely to face any real hardship over a data breach, but the rest of the population that puts in the same email and re-uses "password123" across every service gets into trouble.
As for anecdata about the hairdresser's cousin - my wife, before I met her, had nearly all of main online services compromised from a plain text password data breach because she also re-used the same email & pass everywhere. Netflix, spotify, her email, and amazon account all taken over and did have fraudulent purchases as a result. Now she has 2FA on everything and uses a password manager :) So I don't doubt that there are real people that suffer financial consequences from data breaches due to poor password hygiene.
Even knowing all of that though, I'd still put phishing as a much bigger threat than most data breaches.
Probably not, because most of us are boring. Most of us don't have stalkers. Most of us don't have government clearances. Most of us aren't politically adjacent, significant, or know someone who is. Most of us are not wealthy. Most of us will not be a target by the relatively small pool of humans who could actually do anything with that data.
I might have a few chains where I do connect to someone important (degrees of connection to Kevin Bacon), but that isn't directly useful here.
The point is it's still private information and it must be protected, if only out of common sense or respect for your fellow humans. We don't need damages to defend this point.
I feel you're correct, and it's why it's a losing battle. It's a spectrum of consequences. The worst outcomes are serious but rare. For most people the most severe outcome they'll deal with are unauthorized credit card charges, which are an annoyance at worst.
The most severe consequences just aren't common enough to elicit any kind of change, and even when they are the response is about cleaning up the damage instead of fixing the upstream problem (how that fraud was allowed to occur in the first place).
Personally, I haven't had any serious leaks that I know of so I've mostly suffered from increased spam and scam attempts (I know they were a result of a leak).
One time there was a leak from a university database and as a result there were a few news articles over the years about people that had their identity stolen likely due to that leak. It's not just credit card charges. They have had loans taken in their names, stuff bought on store credit or something (nowadays that's not so easy), stuff stolen from library in their name...
They had to deal with the fallout for years, always fearing that there's a new letter waiting at home regarding some unpaid expense or from debt enforcement agency that they have to contact and try to make it go away. It shouldn't be too hard if you have an open case with the police but it's not always that easy.
Also, if the leaked data is sensitive (e.g. private conversations, records about mental health etc.), you can face extortion or the data may get published.
One other thing that I know of personally is that victims of harassment very much don't like to have their contact info leaked to the harasser.
If we conceive of civilization as being like a biological system, then perhaps there are certain maladies that just are not worth dedicating resources to. Cells die all the time, of a trillion different causes. Few are worth rewriting an immune system for.
If the most severe consequences of this pattern are sufficiently uncommon—uncommon enough that even by your own admission the system as a whole fails to notice them, much less feel any pain over it—then maybe it's a waste of the organism's resources to attempt a systemic resolution. Maybe the "losing battle" as you call it is not with individual organizations or even with broader data security culture per se. It might not even be with the legal system to finally inflict some, any consequence on anyone for letting this repeatedly happen. Perhaps the battle we're losing is, at some deeper level, with the very physics of civilizational energy distribution and consumption, aka, with societal entropy. In which case... Yeah, that battle seems pretty heckin' losing to me. Good thing identity theft only seems to happen to "other people."
I know this argument is going to ring pretty hollow and the irony will bite me pretty hard if I get my SSN highjacked literally tomorrow. Which, thanks to Equifax in 2017, could theoretically happen any minute now! Just like it could've happened any minute now for the last 9 years!
But then again, even if and just because I suddenly personally care a lot more about this issue because I'm suddenly affected by it, that doesn't obligate you or anyone else to feel the same way.
A certain kind of indifference toward the suffering of others might be civilizationally efficient. In which case it might be absurd and maybe even ethically problematic to care in aggregate any more than we happen to do.
(Just for anyone who struggles with reading comprehension: I'm being incredibly sarcastic here. I think it sucks enormously that we broadly ignore the plight of the few just because most people skate by fine. My top level post is also intended satirically. I do care about this stuff and hate that on balance big companies do not. I'm shouting my protest into the void in the form of irony-laced nihilism, aka, the song of my people, aka, burned-out and disenfranchised millenials tired of hoping for the better world we came up believing would some day exist.)
> Not a single one of those times was there a) anything truly actionable for me to do about it[0] or b) a single negative impact to my actual life. In anyway. At all.
My wife has had someone rent an apartment in Oakland and open bank accounts with her name and social. Other than getting the bank accounts cancelled, and locking credit, there's nothing to do. The apartment management said they weren't able to evict based on stolen identity; and Oakland PD did nothing. Reporting identity theft to the FTC like they want you to do is a joke.
Unfortunately, the Oakland address has been showing up in KYC questionaires so it's probably in some minor credit bureau file as true.
Thankfully AMEX called her to notify when the fraudster tried to open a new AMEX with the wrong address.
There's no accountability for the people that collect this data and allow it to be copied. There's no accountability for those who use it for fraud. There's no accountability when credit bureaux distribute inaccurate data. It's a big mess.
Thankfully, most of the haveibeenpwned breaches I'm involved in are like name and email which big deal. But when at&t allowed their records to be copied, someone tried to open a bank of america account with my info. At&t didn't really need my ssn, but they required it as a condition of service, so they had data people wanted.
I don’t know the leak, but I had someone take out multiple credit cards by phones on loan with my Social Security card. I had to freeze my credit score on all the providers (which I think is ridiculous that I have to like. Tell another company that I didn’t even sign up for to pause the account that they created for me)
And then go to each company and bag them to except that this was a fraudulent situation and not me. If they didn’t accept my request, then I would basically be out of luck, owing them the money.
These data leaks are great opportunities for doxing. You can look up all the people that have died from swatters.
> a single negative impact to my actual life. In anyway. At all.
This is missing the broader perspective of identity becoming less reliable, and that results is millions of paper cuts in everyday life.
The reason you need to scan your face with your phone to access a government site or your bank is hugely because asking people personal questions or a password has become useless.
There is an argument that the old security models wouldn't have survived for long either way, but if we see it as an arms race, racing at a slower pace is still better than running like there's no tomorrow towards the bitter end.
My anecdote story about this is as someone with all of their credit frozen and generally best practices for password security (password manager, no reuse, offline only vault for important things) I ended up getting caught up in a ghost student loan scam. More info/background here https://www.equifax.com/business/blog/-/insight/article/ghos...
I failed to realize that I needed to secure a studentaid
.gov account someone was able to open in my name with data breach information.
Thankfully my credit was frozen so I didn’t need to untangle an actual loan, but it would have been a huge legal mess otherwise.
I guess my fear is what account am I going to miss securing next that leads to a giant life ruining problem? If I didn’t setup credit freezes someone else could have with the info in the breaches. I didn’t even think to secure a studentaid account I didn’t know existed. In theory having those credit bureau accounts frozen should be enough, but anyone with enough information on you can likely recover them regardless.
To me the whole experience really drives home how much of a joke the security on a lot of this is. Anyone who seriously sets their eyes on you can just totally ruin your life if they’re dedicated enough.
Though most people doing this its much more effective to take advantage of people who don’t know any better. Credit not frozen, loan accounts not made or secured, etc. Pwning 20 people doing nothing will always be better ROI than trying to PWN one person with their stuff in order. Until you piss the wrong person or they think you’re worth the effort.
I guess I can see how you can view it as not your problem. But there are only so many grandmas to scam. The whole problem space to me metaphorically is everyone’s door is wide open, grandmas is just a straight shot to get in. Mine? Well I have some ball bearings, calipers, and a moat but the doors still open. It’s not like someone is going to rob my open house instead of grandma. I only have to dodge all the traps when I leave and come back but that’s whatever.
The whole thing is absurd. We have doors and locks and better ways to do this and instead we just live like this?
Because we are talking about it and raising awareness of it, we are slowly changing industry practices. You are benefiting from changes adopted due to what happened to previous victims. The change is far from complete.
From a personal example, about ten years ago, my tax return was rejected by the IRS. It turned out someone stole my identity which had been leaked/ breached multiple times. At that time it was trivial to file the paperwork and get the tax return sent to someone else.
I see your reductio ad absurdum and counter you with its exact inverse:
Because something bad has happened at some point to someone somewhere, you personally must take precautions against it happening to you?
Do you intend to modify your behavior, spending habits, or thought patterns to reduce the risk of catching mad cow disease? Oh, no? So you're saying mad cow disease doesn't exist?
But mad cow disease has a documented casualty count and data breaches do not. So actually, you're being irrational if you care about and take measures to mitigate the one but not the other.
Now that we've established that you are rationally obligated to mitigate the risk of mad cow disease, I have some guaranteed Definitely Not Placebo[^TM]-brand pills to sell you.
---
If you find this counterargument spurious, absurd, or unfair, then I have a proposal for you: let's both agree that reduction to absurdity benefits no one, and try to talk reasonably in the middle ground between extremes.
> you personally must take precautions against it happening to you?
Well, yes, in the sense I vote for rational politicians rather than raving single issue lunatics.
The problem here is you latch on to the most absurd example, where the actual farmers raising cattle are the ones expected to avoid mad cow disease because there is an actual cost to them (slaughtering their entire herd). The analogy here would be businesses having to protect their customers data or suffer consequences, which they generally don't.
Now, if you're a deer hunter the responsibility now returns to you. If you shoot some janky ass deer and eat it you might find your brain full of holes in a decade. Again, the analogy here would be using some sketch ass card reader, or hell, using an ATM in a part of town where you get mugged.
I found I had exactly that issue ~3 months ago. A particular government department had their systems hacked and 1 of my email addresses became public along with 10s of thousands of other users. That in itself was bad enough except that this particular department had known about the breach about 2 months earlier and to make matters worse they had not been aware that the breach had occurred back in June 2025.
<We need to establish measures of accountability for data holders. Not securing customer data appropriately needs to be prosecutable, and the affected parties need to be given a right for compensation>
I 100% agree with you here. The trouble is, the government which are often the ones to push for major court-issued penalties when corporations stuff up, don't want to be held to the same level of scrutiny and penalty. Go figure
As usual, the answer is never "collect less data."
That's the only sensible approach. It's the one that I use, but then, I care about the users of my software, and I don't make any money from their PII.
These days I treat other people's data like it's a live hand grenade. Case in point (bit of a shameless plug here :) I'm working on an App called Hockeytastic. It's an ice-hockey stickhandling app that my son's been using for months: the engine is solid but it looked like shit. However, his coach told me to get it on the app stores and sell subs. That meant I needed to clean it up, build a DB, store stuff etc.
Anyway, working with Google and Apple I realised that I quite literally do not need to store anything identifiable. The only identifier I store is the Apple id and the Google id and unless you steal those and then hack Google and Apple, they are utterly useless.
I do not store emails, names, addresses, nothing. That's the way I want it.
If the data is ever breached, the only thing hackers will see are many many instances of Connor McDavid, Nate Mckinnon and various other famous NHL player names :)
If more companies treated personal data like it was toxic, we'd have less issues with breaches, however, I see it in my day job where the marketing people want to take as much data as possible, all the time!
I wish that were the case, but because of there being barely any consequences for breaches, it's much more profitable to store everything you can and sell it to the highest bidder. Make it a huge risk to store data, then companies will start treating data like a live hand grenade.
Companies can and do get away with arguing that they have a "lawful basis" to collect whatever data they'd like. It's unfortunate.
IANAL, but the law seems a bit vague to me, and it appears that companies use that vagueness to their advantage. Maybe I'm just not articulating my arguments correctly.
Even if you have a lawful basis for collecting data, in theory the GDPR is in theory restricting you to only use it for that basis, delete it as soon as you don't need it anymore, have a plan on how to store and handle it, and requires you to follow best practices when doing so. Backups, encryption, regularly testing the technical and organizational measures that protect the data are in theory all mandated. Also, on the topic of this post, notification of data breaches when they occur
But enforcement is just laughable. Even on easy to observe issues like which data is collected
It's for your login and payments. I need to verify that you are authenticated somehow and Google/Apple also handle payments.
You "Login with Apple" or "Login with Google". They manage the login entirely and pass me your id and an access token (assuming you pass their login test). I store that in my DB so that your data from the app can sync (the paid-for app syncs your training data to my backend but I match it only based on the Google/Apple id.)
The alternative is that I build my own auth system and I'd need to store something you can type in the next time, e.g. email/password address etc.
If you have an Android/Apple phone you're already authenticated with them. I just need Google/Apple to say "this guy is cool, let him in" and I then use the id to check if you've paid, sync your training data etc.
On its own, the id is useless! Means nothing and cannot be traced back to a person. I genuinely do not know your name, email, what country you come from, GPS data, CC data. Nothing at all!
If I'm using an app I'm very skeptical of "Login with Google" because I have no way to verify that you're only getting a random identifier and not my email address. I prefer to sign up with a proxy email address.
At least with "Sign in with Apple" you can choose to give a random alias that forwards to your email. I do this for every single service I sign up for. Completely unique Email + password for everything.
It's built into Android/iOS and an accepted way of logging into an app. The app store page (when it's released) shows exactly what I need: practically no information at all.
Google handle the payment and the subscription too (same with Apple) and that's a very common pattern too.
For me, with a similar wildcard setup, it became something I wasn't willing to spend money on. I work on the basis that accounts are compromised and if the company is large enough I'll see it in the news. Strong passwords, and a password-database is the best I can manage.
Can confirm it's free. I tried it based on the GP comment. There are various ways to prove it is your domain: token sent to one of a small number of email addresses like {admin,security,webmaster}@, DNS TXT record, place a small file in the root of the website, etc.
The only extra bits I saw for the other emails on my domain was a plus address I'd used for last.fm which had been leaked. None of the other emails (wife, kid, family, etc) appear in any breach.
I'm slowly moving away from using my own personal domain as it's becoming an ever increasing burden. I'm also concerned that my wife/kid will be left with something they may not have access to, or would stop working at some point, if I suddenly dropped dead.
I had a domain registered and I got notices for about five email addresses - but after a while I was told I'd had too many localparts appear in breaches and I had to pay to upgrade.
It might have changed again now, but that was the point I deleted my account. The pricing list seems to imply a limit on the local-parts for a domain, though ..
You can have haveibeenpwned.com check for the custom domain itself. For instance, I get notified if any email of our family domain get leaked (not just mine).
Depends where they are in the world. I _think_ GDPR would be a good enough business reason, as they set a ticking clock of 72 hours from the breach to notifying individuals who are in the breach. And the fines involved are pretty steep (almost effing vertical for some).
And if they don't disclose, nothing happens anyway. Maybe a five figure "cost of doing business" slap on the wrist fine, not considering the amount of users affected. Enforcement is extremely selectiveand bureaucrats essentially operate on "if company in FAANG, take action, else do nothing" programming.
At least in germany it feels like you need a very dedicated and persistent person to make the case against a company/service (bonus points if they get media attention). Other countries are a bit better but it generally is not very consistent.
The enforcement for most small to mid-sized companies is often just not present and resources for relevant agencies are often only reluctantly allocated. Ime, in government institutions it is generally not very respected as it "impedes progress".
For tech B2B companies where the founders or executive team hold the majority stake in the organisation, yes. A failure to disclose or respond when there is a public notice on an .onion address, or a sample set of your customer data has been published online, creates tangible, direct commercial impact.
You should expect every deal in your pipeline to stall. Your product and company will be flagged by every GRC team, and every stakeholder trying to purchase your product will suddenly need to go to risk committees, or into meetings with CISOs, CTOs, and founders, to explain why buying from you is worth the risk compared to competitors who have not been breached.
If you have not addressed the issue, it becomes a literal deal-breaker. The sooner you write the press release, notify customers, and deal with the underlying problems, the sooner you can turn the incident into a credible story about how you responded, contained it, and improved.
If you do not respond, or you deny it, your deals are dead.
The reason I prefaced this with companies where the founders or executive team hold a majority stake is that I sincerely do not believe the same incentives do not exist for most other companies. The stock price is not meaningfully impacted by incidents like this; it is more affected by vibes, market conditions, and the general tech economy. There are a hundred things that will move the stock price before cybersecurity and data incidents do.
Operating revenue and profit, however, will be impacted. Executives on a death march for growth, who understand that an incident like this can wipe away a year of progress (and essentially their life's work), are far more likely to take it seriously. They are directly exposed to the commercial consequences.
The companies you see trying to sweep this under the rug, or outright ignore it, are usually one of two things.
1. They are so out of touch with their customers that they would rather listen to a lawyer chasing the “ideal legal-risk outcome” than pursue the best financial, customer and cybersecurity risk outcome. In my experience these are executives who are independently wealthy or already come from wealth, and their priority is simply keeping the status quo.
2. They are simply not incentivised to deal with it properly (carrot, nor stick). That is: they don't lose their bonus, they don't face the axe, and they aren't rewarded for doing anything "well" in response to it. They might say they're "inherently" exposed because if the business is impacted, so are they (stock price, performance bonuses) -- but that's incredibly disingenuous, as it's pretty much always not a material difference to them.
For B2C or B2B doing "traditional" stuff? No. The incentive simply just isn't there.
At this stage just expect that every accounts will get leaked or rooted, it's a matter of when, not if...
Use varying email `plus addressing` (john+am2604@foo.com), varying passwords or passkey and 2FA on anything remotely important (use of your identity, not just financials).
Plus addressing (or movable periods in gmail addresses, etc) is increasingly pointless for a whole host of reasons.
It may keep out the bottom x% of spammers/hackers but it doesn't do much for the increasingly sophisticated scams that are appearing.
If the bit before the + ends up in your inbox anyway then it'll just get stripped off and used. Spammers seeing this kind of thing across several breach dumps:
and will leverage that to target spam at you for other sites, or just email bob@example.com as there's a good chance that'll get through.
Years ago I did a test with my own domain where I created who unique aliases with plus addresses, e.g. steve.smith+iawer@example.com, bob.jones+wpoqe@example.com
It didn't take long for emails to start arriving to steve.smith@example.com and bob.jones@example.com even though that email address had never been used anywhere ever before.
As others have said, you're better off just creating unique emails with `pwgen -s 16` such as wmR5pNhGI8yidU7N@example.com and storing that in your password manager alongside a similarly random password. (Yes, this is roughly what those unique email address services provide.)
Also many services/sites/providers simply assume the username is immutable. $DEITY forbid you might have to change your email address at some point in the future.
I recommend people use proper email aliasing, not plus addressing. Duckduckgo makes a free one that's can integrate into Bitwarden, if you have iCloud+ Apple's($0.99/month) hide my email is good. Addy.io and SimpleLogin are the best and allow PGP encryption to prevent another party having access to your emails, but they are paid for full features.
> Organizations like the IAB require that advertisers normalize email addresses so that they can be correlated and tracked, regardless of users' privacy wishes.
Not to spoil the surprise but it will get much MUCH worse. Reason: sloppers. Anyone who's dealt with security and has looked into how all the slop agents work can understand how catastrophic it is from a security perspective. The "yes" button on "I trust the authors" is what unlocks the gates of hell.
Dont worry the vibecoders will tire out, they're the same people who were making NFTs and mining bitcoin, they'll move onto the next hot thing soon enough. Its more an archetype, not necessarily the same exact people. They dont commit long term.
It's not needed. There are already alternatives that could take its place. Some of them are able to actually show you what data leaked instead of leaving you blind of what was actually included in the breach.
I don't think he meant "show the actual data," I think he meant "what leaked? My name, address, phone number, email, medical records, payment history, bank account number?"
We get a "your private data is now public" email, but knowing exactly what data turns that from a depressing statement on how much corporations value their customers' privacy into something actionable.
Yes, I meant the actual data so you know what leaked. There is a difference between leaking a password 12345678 and leaking a password that was reused on a different site. There is a difference between leaking your actual birthday and leaking 01/01/1900. There is a difference between leaking a fake address, your previous address, and your current address.
Hashes can be cracked, and end users won't understand how to create password hashes to check which one was leaked. Plus, salts exist.
Passwords shouldn't matter anyways. Use a password manager and be done with it. The real issue is metadata which can't easily be changed - phone numbers, addresses, and the like. If any of that data is leaked, it becomes much harder to contain impact. You can't move addresses every time your address gets leaked online.
I use Snusbase (https://snusbase.com). They've been around since around 2016 and haven't had any issues legally - they're the longest-standing data breach search engine besides HIBP, as far as I know.
"Today, I loaded the 1,000th data breach into Have I Been Pwned. Reflecting on that milestone number, I pondered how to mark the occasion in writing, and what immediately came to mind was a very simple question: why is it still needed?"
Maybe it isn't needed
Originally HIBP and other websites used data breach dumps to solicit further data collection^1, e.g., with a fear-based, clickbaity title like "Have I been pwned?"
Maybe HIBP serves the author, maybe that's why it's "needed"
For example, it brings him notoriety
For example, he can promote his other cybersecurity website via HIBP and paid speaking engagements
The author has expressed dissatisfaction that companies are being penalised for data breaches through class action litigation, including any compensation users might receive as part of these settlements
1. People come to him with breaches that are not public yet.
2. He validates the breaches through a network of volunteers who check if the credentials are real.
3. He provides an easy-to-use service for free.
What is your alternative? Having each person run their own agent scanning the corners of the internet, downloading breaches, and looking for their own accounts? What the point of that?
At the same time, my government and society at large is pushing more and more for "digital everything". It's great when it works. But to me, every new service translates to a new opportunity for my data to be leaked.
I think one reason why we're still seeing so many breaches is that security is hard and thus expensive - and on the other hand, other than customer push-back, companies or other providers have pretty much nothing to worry about when their data gets extorted. To me, this is impossible. When I give my private data to them, I'm giving them something very valuable. If being careless with that value basically has no consequences, the incentives to care are low.
We need to establish measures of accountability for data holders. Not securing customer data appropriately needs to be persecutable, and the affected parties need to be given a right for compensation. Of course, that's not going to happen. It would be difficult to implement in practice, if at all possible. But as long as there is no monetary incentive for data holders to be as careful as possible, the laxness is going to continue.
The ultimate entity that could hold businesses accountable is the government but the government itself is careless with citizens' private data.
I underwent a government required background check to get a security clearance and my data was stolen: https://en.wikipedia.org/wiki/2015_Office_of_Personnel_Manag...
My "compensation" for my data being leaked was 1 year of free credit monitoring. But obviously, criminals interested in identity theft will continue their attacks after 1 year.
As far as persecution/prosecution, I suppose Katherine Archuleta, the director of OPM, and the CIO, Donna Seymour ... could have been put in prison as punishment instead of just resigning. I don't think that would change anything. There will still be future scenarios where governments want more collection of private data. Flock cameras, TSA airport scans, internet access age-verification face scans, etc.
I think that what we're seeing is evidence that humans, in general, are not capable of securely delivering the kinds of online services that they are trying to deliver. It's just too complicated, and while defenses have to be perfect, attacks only have to work occasionally to be worth doing.
Edit: not that we shouldn't expect best efforts, and financial liability for organizational failures. Prison maybe for clear proven negligence or intentional sabotage, but for mistakes? Nobody will write software anymore. When is the last time you wrote even a screenful of code without a mistake?
So we should start treating them like licensed engineers... Actually I agree with this.
In the absence of any fine, most companies are comfortable with bit of reputation damage.
And software holds people to exactly zero standards and it shows.
And the side benefit is that we could summarily execute one every once in a while for failing to write secure code.
Let's not forget the largest data breach in US history by Elon Musk and his DOGE kids.
What makes it even worse is every policy and regulation push is just talk on paper and even it succeeds and comes in effect, it essentially stays at where it was — zero power to the people, zero accountability to others, and negative punishment to the offenders (they are not even considered offenders). There are no legal frameworks like a class action lawsuit either. As in, when you look beyond “paper regulators” (and won’t have to look hard) there is nothing at all, practically speaking.
The thing is you can’t fight it, and you really can’t opt out. Not here. It feels kafkaesque, you don’t even speak up because 90% or more of your compatriots will wonder what the hell you are on about, if you are lucky enough to be not labelled an anti-national.
But on a database it's practically a matter of running a copy command and uploading it or exfiltrating it. And there will always be software vulnerabilities.
Computer processes have no inherent rate limiter to them, and they even allow you to run stuff from a distance.
If your webapp has unfettered database access then don't be surprised if it is hacked and someone can do `select * from users` and then posts that dump somewhere.
The attack surface changes if your webapp can only do a REST call to pull a single user record at a time. That way you can put some auditing in, you can put rate limiting in to detect that, etc.
Obviously the user record REST api endpoint is still vulnerable, but it's a much smaller attack surface, easier to audit, and can be monitored a lot more closely.
Yes, ultimately, there will still be a set of vulnerable humans that have access to the database servers themselves and they can always walk out of the place with an SD card hidden in a Rubik's cube but there has to be an element of trust somewhere.
The problem is that too many people put that trust boundary way too far out into the big bad Internet. Or don't even consider it at all and just rely on the fact that other targets are more appealing.
Databases (SQL) have concept of views, restricted access going all the way to column level.
Connections can be restricted from firewall itself.
One can have MTLS connections with database on the top of it to beef up security.
Unfortunately the generation of people who knew and did all this is just considered friction and has been made obsolete.
This would would allow engineers to better be able to prioritize security, which typically gets ignored or put low in priority.
The primary issues in my opinion are (1) businesses collecting and holding on to information they don't need and (2) businesses getting so large that they become prime targets by default.
In a world where pointless data collection was disincentivized and there were many small businesses instead of a few large ones, this problem would be much more localized and addressable. But of course this is a dream within a dream.
I could imagine if, after a data breach, there was a government-run cyber investigative task force that would come into an organization, and be tasked with investigating and fully understanding the nature of the breach. We already have forensic detectives for other crimes, why not this one?
And if it turns out that the failure occurred due to the company acting negligently, a la (whoopsie all the records were in an open S3 bucket) then humans would be found personally liable.
--
But in principle, i also agree with the other causes you list. These are very much what GDPR was aimed at improving. It really is a shame when you look at what GDPR could have accomplished if not for malicious compliance by American tech giants, and shitty enforcement (instigated by American tech giants)
Edit: Thinking more about it, this would probably also be positive for security investigators. If a company is stonewalling you and ignoring a legitimate bug report, you now have the option to escalate this to the insurer. Maybe they could even facilitate bug bounty programs for smaller companies
... you don't create burner email addresses specifically to cross-login with them to one service?
I honestly tend to think this is the only viable long term strategy.
Let's face it: In a truly global internet where every single forum or website is hosted in a different country with a different jurisdiction, hoping that every single actor will act responsibly is just delusional.
It is not what we see. It is not happening and it is not going to happen.
Individual need to have right to online privacy.
That's means the right to get proxy email address, proxy phone number, proxy physical address and even proxy identity (first name/family name).
The sooner the governments will accept that, the better.
If done right, it is not incompatible with a system where identities can be reconstructed by the authorities for legal actions.
If nothing is done, scams and blackmails will continue to spread like bushfire and proxies anonymity will happen anyway outside of any control.
Just figure anything online that you aren't securing yourself is compromised. Minimize the effect that has on your life. Identify theft is annoying, but it rarely has severe effects.
You will have to go out of your way to be truly anonymous online, and it might be impossible if you aren't tech savvy enough. Otherwise, just assume everything you do online is public and act accordingly.
I disagree. It has already severe effects.
- The fact we are facing so many data leaks made easy for malicious agent to cross and mix data sources and setup much more evolved and convincing scam scheme.
It is now trivial to get name, address, birthday and phone number from a data leak and crossed check that with the login id (email) used for lets say, a financial service and setup a convincing phone scam on that.
Many dubious actors are already doing that. One acquaintance of mine (working in ITsec ironically) got trapped by this exact scheme last week.
- It is trivial to harvest data leaks for online telemarketing, robot calls and any other abusing commercial practices.
- We are heading to a situation where any wierdo or/and stalker with a bit of tech knowhow can rather trivially extract a physical address out of an online profile. That is a giant opened door for harassment and physical insecurity for the most vulnerable of us.
Thats not just "nerd concerns" and the strategy "everything you do online is public" does not work. Many website will request my personal physical address for trivial matters like billing or delivery. That can not under any mean be considered public data.
I just don't buy things online, and avoid anyone having my physical address that way.
Sadly, the ubiquity of terrible 2FA means at least some companies have my phone number, though.
None of these things have historically been considered private information. There's zero reason that knowledge of any or all of this should be considered adequate or even relevant to proving identity.
Some will even require it for no actual reason at all.
Do I need to give my living address when I buy a sandwich? Then why would I need to when buying an online service?
Similarly, fast foods nearly all have these automated kiosques. They don’t need any info. So why do they require an email address when ordering to the table through the app, while in the restaurant?
They don’t need them. They just demand them because they can and everyone online is used to giving them without a second thought.
I can’t wait for personal data to become digital radioactive waste.
This is such a depressing reality. It's also what governments want you to believe. If you aren't able to speak your mind about anything anonymously, then you won't be able to, say, spread ideas that go against them.
Admitting defeat at all and not even trying to teach people about privacy results in the "I don't care, what's the point?" attitude that plagues many people today.
Doing it right is exactly the thing that makes this impossible. If instead you give everyone a unique barcode that every other pseudonym can be tied back to, do you really think that database will never be breached? It would become the prime target for all attackers in the world.
Meanwhile reconstructing "identities" is the least valuable thing to doing law enforcement well, because the first thing criminals will do is use someone else's identity, and then tying something to the wrong identity isn't just useless, it's actively counterproductive. The thing you need is not centralized identity but proper investigations that can tie some activity to the person pulling the strings regardless of whose name they're using.
The thing centralized identity does is precisely the opposite -- it leads you to person associated with a name, often the wrong person. You want to get the person offering to do murder for hire to think they have a contract and show up somewhere you can arrest them regardless of whether you know their name, not to convict the person whose identity they stole.
Critical data is always better in the hand of a few (trustable) than in the hands of many.
That is currently the exact reason why you are using Paypal instead of giving your credit card number to everybody.
That is the exact reason why you are using a password manager.
A lot about security is about who you trust, and for how long.
Your credit card protect you against nothing. Reimbursement in case of fraud is not fraud protection, it is just bare minimal customer service.
In fact, the first thing your bank will do when your credit card number has been leaked and was used for a fraud... is to replace your credit card.
Because they know that, when the number is in the wild, it will happen again. The system is inherently insecure in case of dataleak.
Visa and Mastercard spent decades and millions constructing systems like "3D secure" supposed to protect again that by enforcing external authentication factors. But since the system is not enforced in every country, it is still a problem today.
This is true, and it needs to change. The incentives are warped right now, as a decent chunk of global GDP traces itself back to ad tech.
I'm a millennial and I've been told probably hundreds of times by this point in my life that my data has been breached. Not a single one of those times was there a) anything truly actionable for me to do about it[0] or b) a single negative impact to my actual life. In anyway. At all.
People were talking about the Equifax breach a decade ago like identity theft was going to become an absolutely routine part of daily life for +90% of people. That didn't happen, at least not for me.
My point is: I understand that this is a topic that nerd communities like HN are well-aligned on—data collection bad, data breach bad, I get it. But does it actually matter?
Every single one of us have had our data harvested by tech giants every second of every day for absolutely decades and neither I nor a single person I know in real life have ever had any negative consequences, either because of the collection itself or from the inevitable and seemingly continuous breaching of that data. Every single website, from the random indie shoe website I purchased from one time to multiple health insurance companies, have breached my data, over the span of decades, and from all appearances it has had absolutely zero effect that I can actually point to in real actual life.
So I'm becoming a bit of a skeptic on this item of quasi-religious dogma that y'all all seem to recite the same position on. Does the emperor perhaps have no clothes? Do we all just fear "data breaches" because we've been told to fear them by people who sounded smarter than us?
I need y'all to hit me with some scary anecdata about what happened to your hairdresser's cousin's ex-husband's dog—anecdata with no citation that I obviously can't even verify isn't hallucinated by a GPT, but should clearly accept as valid because "ooooh data breach bad"—because without that the propaganda patina on my brain is wearing a little thin.
[0] (I use a password manager to guarantee that I'm not sharing passwords between logins, so really the only thing I could do in response to a data breach disclosure is rotate the password on the breached account. But that only matters if they were storing my password in plaintext right? I certainly can't do anything about my data being out there, and it's too late for closing that account out to prevent anything.)
This already makes your digital hygiene better than at least 70% of the population if not more. I don't have the link off the top of my head but I vaguely recall some survey or article put out by bitwarden that nearly 70% of folks re-use the same password for everything.
A surprising number of those little services do store passwords in plain text, and that's where the risk comes from. So you're right, you and anyone else remotely tech savvy that is smart enough to not re-use passwords is unlikely to face any real hardship over a data breach, but the rest of the population that puts in the same email and re-uses "password123" across every service gets into trouble.
As for anecdata about the hairdresser's cousin - my wife, before I met her, had nearly all of main online services compromised from a plain text password data breach because she also re-used the same email & pass everywhere. Netflix, spotify, her email, and amazon account all taken over and did have fraudulent purchases as a result. Now she has 2FA on everything and uses a password manager :) So I don't doubt that there are real people that suffer financial consequences from data breaches due to poor password hygiene.
Even knowing all of that though, I'd still put phishing as a much bigger threat than most data breaches.
Probably not, because most of us are boring. Most of us don't have stalkers. Most of us don't have government clearances. Most of us aren't politically adjacent, significant, or know someone who is. Most of us are not wealthy. Most of us will not be a target by the relatively small pool of humans who could actually do anything with that data.
I might have a few chains where I do connect to someone important (degrees of connection to Kevin Bacon), but that isn't directly useful here.
The point is it's still private information and it must be protected, if only out of common sense or respect for your fellow humans. We don't need damages to defend this point.
The most severe consequences just aren't common enough to elicit any kind of change, and even when they are the response is about cleaning up the damage instead of fixing the upstream problem (how that fraud was allowed to occur in the first place).
One time there was a leak from a university database and as a result there were a few news articles over the years about people that had their identity stolen likely due to that leak. It's not just credit card charges. They have had loans taken in their names, stuff bought on store credit or something (nowadays that's not so easy), stuff stolen from library in their name...
They had to deal with the fallout for years, always fearing that there's a new letter waiting at home regarding some unpaid expense or from debt enforcement agency that they have to contact and try to make it go away. It shouldn't be too hard if you have an open case with the police but it's not always that easy.
Also, if the leaked data is sensitive (e.g. private conversations, records about mental health etc.), you can face extortion or the data may get published.
One other thing that I know of personally is that victims of harassment very much don't like to have their contact info leaked to the harasser.
If the most severe consequences of this pattern are sufficiently uncommon—uncommon enough that even by your own admission the system as a whole fails to notice them, much less feel any pain over it—then maybe it's a waste of the organism's resources to attempt a systemic resolution. Maybe the "losing battle" as you call it is not with individual organizations or even with broader data security culture per se. It might not even be with the legal system to finally inflict some, any consequence on anyone for letting this repeatedly happen. Perhaps the battle we're losing is, at some deeper level, with the very physics of civilizational energy distribution and consumption, aka, with societal entropy. In which case... Yeah, that battle seems pretty heckin' losing to me. Good thing identity theft only seems to happen to "other people."
I know this argument is going to ring pretty hollow and the irony will bite me pretty hard if I get my SSN highjacked literally tomorrow. Which, thanks to Equifax in 2017, could theoretically happen any minute now! Just like it could've happened any minute now for the last 9 years!
But then again, even if and just because I suddenly personally care a lot more about this issue because I'm suddenly affected by it, that doesn't obligate you or anyone else to feel the same way.
A certain kind of indifference toward the suffering of others might be civilizationally efficient. In which case it might be absurd and maybe even ethically problematic to care in aggregate any more than we happen to do.
Literally, who's to say?
My wife has had someone rent an apartment in Oakland and open bank accounts with her name and social. Other than getting the bank accounts cancelled, and locking credit, there's nothing to do. The apartment management said they weren't able to evict based on stolen identity; and Oakland PD did nothing. Reporting identity theft to the FTC like they want you to do is a joke.
Unfortunately, the Oakland address has been showing up in KYC questionaires so it's probably in some minor credit bureau file as true.
Thankfully AMEX called her to notify when the fraudster tried to open a new AMEX with the wrong address.
There's no accountability for the people that collect this data and allow it to be copied. There's no accountability for those who use it for fraud. There's no accountability when credit bureaux distribute inaccurate data. It's a big mess.
Thankfully, most of the haveibeenpwned breaches I'm involved in are like name and email which big deal. But when at&t allowed their records to be copied, someone tried to open a bank of america account with my info. At&t didn't really need my ssn, but they required it as a condition of service, so they had data people wanted.
And then go to each company and bag them to except that this was a fraudulent situation and not me. If they didn’t accept my request, then I would basically be out of luck, owing them the money.
These data leaks are great opportunities for doxing. You can look up all the people that have died from swatters.
This is missing the broader perspective of identity becoming less reliable, and that results is millions of paper cuts in everyday life.
The reason you need to scan your face with your phone to access a government site or your bank is hugely because asking people personal questions or a password has become useless.
There is an argument that the old security models wouldn't have survived for long either way, but if we see it as an arms race, racing at a slower pace is still better than running like there's no tomorrow towards the bitter end.
I failed to realize that I needed to secure a studentaid .gov account someone was able to open in my name with data breach information.
Thankfully my credit was frozen so I didn’t need to untangle an actual loan, but it would have been a huge legal mess otherwise.
I guess my fear is what account am I going to miss securing next that leads to a giant life ruining problem? If I didn’t setup credit freezes someone else could have with the info in the breaches. I didn’t even think to secure a studentaid account I didn’t know existed. In theory having those credit bureau accounts frozen should be enough, but anyone with enough information on you can likely recover them regardless.
To me the whole experience really drives home how much of a joke the security on a lot of this is. Anyone who seriously sets their eyes on you can just totally ruin your life if they’re dedicated enough.
Though most people doing this its much more effective to take advantage of people who don’t know any better. Credit not frozen, loan accounts not made or secured, etc. Pwning 20 people doing nothing will always be better ROI than trying to PWN one person with their stuff in order. Until you piss the wrong person or they think you’re worth the effort.
I guess I can see how you can view it as not your problem. But there are only so many grandmas to scam. The whole problem space to me metaphorically is everyone’s door is wide open, grandmas is just a straight shot to get in. Mine? Well I have some ball bearings, calipers, and a moat but the doors still open. It’s not like someone is going to rob my open house instead of grandma. I only have to dodge all the traps when I leave and come back but that’s whatever.
The whole thing is absurd. We have doors and locks and better ways to do this and instead we just live like this?
From a personal example, about ten years ago, my tax return was rejected by the IRS. It turned out someone stole my identity which had been leaked/ breached multiple times. At that time it was trivial to file the paperwork and get the tax return sent to someone else.
Because something bad has happened at some point to someone somewhere, you personally must take precautions against it happening to you?
Do you intend to modify your behavior, spending habits, or thought patterns to reduce the risk of catching mad cow disease? Oh, no? So you're saying mad cow disease doesn't exist?
But mad cow disease has a documented casualty count and data breaches do not. So actually, you're being irrational if you care about and take measures to mitigate the one but not the other.
Now that we've established that you are rationally obligated to mitigate the risk of mad cow disease, I have some guaranteed Definitely Not Placebo[^TM]-brand pills to sell you.
---
If you find this counterargument spurious, absurd, or unfair, then I have a proposal for you: let's both agree that reduction to absurdity benefits no one, and try to talk reasonably in the middle ground between extremes.
Well, yes, in the sense I vote for rational politicians rather than raving single issue lunatics.
The problem here is you latch on to the most absurd example, where the actual farmers raising cattle are the ones expected to avoid mad cow disease because there is an actual cost to them (slaughtering their entire herd). The analogy here would be businesses having to protect their customers data or suffer consequences, which they generally don't.
Now, if you're a deer hunter the responsibility now returns to you. If you shoot some janky ass deer and eat it you might find your brain full of holes in a decade. Again, the analogy here would be using some sketch ass card reader, or hell, using an ATM in a part of town where you get mugged.
<We need to establish measures of accountability for data holders. Not securing customer data appropriately needs to be prosecutable, and the affected parties need to be given a right for compensation>
I 100% agree with you here. The trouble is, the government which are often the ones to push for major court-issued penalties when corporations stuff up, don't want to be held to the same level of scrutiny and penalty. Go figure
That's the only sensible approach. It's the one that I use, but then, I care about the users of my software, and I don't make any money from their PII.
Anyway, working with Google and Apple I realised that I quite literally do not need to store anything identifiable. The only identifier I store is the Apple id and the Google id and unless you steal those and then hack Google and Apple, they are utterly useless.
I do not store emails, names, addresses, nothing. That's the way I want it.
If the data is ever breached, the only thing hackers will see are many many instances of Connor McDavid, Nate Mckinnon and various other famous NHL player names :)
If more companies treated personal data like it was toxic, we'd have less issues with breaches, however, I see it in my day job where the marketing people want to take as much data as possible, all the time!
IANAL, but the law seems a bit vague to me, and it appears that companies use that vagueness to their advantage. Maybe I'm just not articulating my arguments correctly.
But enforcement is just laughable. Even on easy to observe issues like which data is collected
You "Login with Apple" or "Login with Google". They manage the login entirely and pass me your id and an access token (assuming you pass their login test). I store that in my DB so that your data from the app can sync (the paid-for app syncs your training data to my backend but I match it only based on the Google/Apple id.)
The alternative is that I build my own auth system and I'd need to store something you can type in the next time, e.g. email/password address etc.
If you have an Android/Apple phone you're already authenticated with them. I just need Google/Apple to say "this guy is cool, let him in" and I then use the id to check if you've paid, sync your training data etc.
On its own, the id is useless! Means nothing and cannot be traced back to a person. I genuinely do not know your name, email, what country you come from, GPS data, CC data. Nothing at all!
I don't want your data.
Google handle the payment and the subscription too (same with Apple) and that's a very common pattern too.
I understand the skepticism though.
Can I find out if any of my emails are in leaks with a service somewhere?
https://haveibeenpwned.com/
https://haveibeenpwned.com/Subscription#corePlans
For me, with a similar wildcard setup, it became something I wasn't willing to spend money on. I work on the basis that accounts are compromised and if the company is large enough I'll see it in the news. Strong passwords, and a password-database is the best I can manage.
The only extra bits I saw for the other emails on my domain was a plus address I'd used for last.fm which had been leaked. None of the other emails (wife, kid, family, etc) appear in any breach.
I'm slowly moving away from using my own personal domain as it's becoming an ever increasing burden. I'm also concerned that my wife/kid will be left with something they may not have access to, or would stop working at some point, if I suddenly dropped dead.
It might have changed again now, but that was the point I deleted my account. The pricing list seems to imply a limit on the local-parts for a domain, though ..
At least in germany it feels like you need a very dedicated and persistent person to make the case against a company/service (bonus points if they get media attention). Other countries are a bit better but it generally is not very consistent.
The enforcement for most small to mid-sized companies is often just not present and resources for relevant agencies are often only reluctantly allocated. Ime, in government institutions it is generally not very respected as it "impedes progress".
You should expect every deal in your pipeline to stall. Your product and company will be flagged by every GRC team, and every stakeholder trying to purchase your product will suddenly need to go to risk committees, or into meetings with CISOs, CTOs, and founders, to explain why buying from you is worth the risk compared to competitors who have not been breached.
If you have not addressed the issue, it becomes a literal deal-breaker. The sooner you write the press release, notify customers, and deal with the underlying problems, the sooner you can turn the incident into a credible story about how you responded, contained it, and improved.
If you do not respond, or you deny it, your deals are dead.
The reason I prefaced this with companies where the founders or executive team hold a majority stake is that I sincerely do not believe the same incentives do not exist for most other companies. The stock price is not meaningfully impacted by incidents like this; it is more affected by vibes, market conditions, and the general tech economy. There are a hundred things that will move the stock price before cybersecurity and data incidents do.
Operating revenue and profit, however, will be impacted. Executives on a death march for growth, who understand that an incident like this can wipe away a year of progress (and essentially their life's work), are far more likely to take it seriously. They are directly exposed to the commercial consequences.
The companies you see trying to sweep this under the rug, or outright ignore it, are usually one of two things.
1. They are so out of touch with their customers that they would rather listen to a lawyer chasing the “ideal legal-risk outcome” than pursue the best financial, customer and cybersecurity risk outcome. In my experience these are executives who are independently wealthy or already come from wealth, and their priority is simply keeping the status quo.
2. They are simply not incentivised to deal with it properly (carrot, nor stick). That is: they don't lose their bonus, they don't face the axe, and they aren't rewarded for doing anything "well" in response to it. They might say they're "inherently" exposed because if the business is impacted, so are they (stock price, performance bonuses) -- but that's incredibly disingenuous, as it's pretty much always not a material difference to them.
For B2C or B2B doing "traditional" stuff? No. The incentive simply just isn't there.
GDPR, CCPA, whatever, hasn't moved the dial.
Use varying email `plus addressing` (john+am2604@foo.com), varying passwords or passkey and 2FA on anything remotely important (use of your identity, not just financials).
It may keep out the bottom x% of spammers/hackers but it doesn't do much for the increasingly sophisticated scams that are appearing.
If the bit before the + ends up in your inbox anyway then it'll just get stripped off and used. Spammers seeing this kind of thing across several breach dumps:
bob+trello@example.com, bob+spotify@example.com, bob+chase@example.com
and will leverage that to target spam at you for other sites, or just email bob@example.com as there's a good chance that'll get through.
Years ago I did a test with my own domain where I created who unique aliases with plus addresses, e.g. steve.smith+iawer@example.com, bob.jones+wpoqe@example.com
It didn't take long for emails to start arriving to steve.smith@example.com and bob.jones@example.com even though that email address had never been used anywhere ever before.
As others have said, you're better off just creating unique emails with `pwgen -s 16` such as wmR5pNhGI8yidU7N@example.com and storing that in your password manager alongside a similarly random password. (Yes, this is roughly what those unique email address services provide.)
Also many services/sites/providers simply assume the username is immutable. $DEITY forbid you might have to change your email address at some point in the future.
> Organizations like the IAB require that advertisers normalize email addresses so that they can be correlated and tracked, regardless of users' privacy wishes.
https://www.privacyguides.org/en/email-aliasing/#over-plus-a...
Ever since I don't trust online services.
Google and Apple are throttling hotfix updates (for app developers) as tons of code pushes to their infra (by vibe coders) is straining their system.
The are fixing this by throttling updates to minimum 3 days review period.
so good luck fixing the vulnerability or data leaks in your apps.
This seems to rhyme with "Don't worry, the spammers will tire out"
Narrator: "The spammers in fact, did not tire out"
I wonder whats next, I feel it might be a huge swing of the pendulum next.
It's not needed. There are already alternatives that could take its place. Some of them are able to actually show you what data leaked instead of leaving you blind of what was actually included in the breach.
https://www.troyhunt.com/here-are-all-the-reasons-i-dont-mak...
We get a "your private data is now public" email, but knowing exactly what data turns that from a depressing statement on how much corporations value their customers' privacy into something actionable.
There seems to be some amount of entitlement by people in this thread to get information from a third party about what a first party to them lost.
The first party that lost your data should be the one that shows you exactly what was compromised.
It could show the hash instead.
>No, it's not ok that these passwords are already out there
So it's better that people have to pay for it instead of getting this information for free?
>Because it's important to say "I don't store passwords in HIBP"
This is a personal choice.
>I'm not your personal lookup service
The idea is that this would be done by the site itself and would not require manual work by the owner.
Passwords shouldn't matter anyways. Use a password manager and be done with it. The real issue is metadata which can't easily be changed - phone numbers, addresses, and the like. If any of that data is leaked, it becomes much harder to contain impact. You can't move addresses every time your address gets leaked online.
(This is not an advertisement.)
Maybe it isn't needed
Originally HIBP and other websites used data breach dumps to solicit further data collection^1, e.g., with a fear-based, clickbaity title like "Have I been pwned?"
Maybe HIBP serves the author, maybe that's why it's "needed"
For example, it brings him notoriety
For example, he can promote his other cybersecurity website via HIBP and paid speaking engagements
The author has expressed dissatisfaction that companies are being penalised for data breaches through class action litigation, including any compensation users might receive as part of these settlements
He believes there is no user injury
https://www.troyhunt.com/data-breaches-class-actions-and-amb...
If that's his position, if he believes users are unharmed by data breaches, then what's the point of HIBP
Is it to support the companies who are collecting data and then being breached (not the users to whom the data belongs)
1. Data collection being the root cause of the data breach problem
2. He validates the breaches through a network of volunteers who check if the credentials are real.
3. He provides an easy-to-use service for free.
What is your alternative? Having each person run their own agent scanning the corners of the internet, downloading breaches, and looking for their own accounts? What the point of that?