1k Data Breaches Later, the Disclosure Lag Is Worse

Posted by 882542F3884314B 16 hours ago

1k Data Breaches Later, the Disclosure Lag Is Worse(www.troyhunt.com)

278 points | 117 commentspage 2

faangguyindia 15 hours ago|

there will be more data breaches.

Google and Apple are throttling hotfix updates (for app developers) as tons of code pushes to their infra (by vibe coders) is straining their system.

The are fixing this by throttling updates to minimum 3 days review period.

so good luck fixing the vulnerability or data leaks in your apps.

HDBaseT 14 hours ago||

I am not sure I get the connection between AI code holding up review processes and data breaches.

emodendroket 14 hours ago||

The post made a pretty clear claim, I thought: the volume of apps being sent through is so extreme that they can't keep up with their review process.

ai_fry_ur_brain 13 hours ago||

Dont worry the vibecoders will tire out, they're the same people who were making NFTs and mining bitcoin, they'll move onto the next hot thing soon enough. Its more an archetype, not necessarily the same exact people. They dont commit long term.

pixl97 4 hours ago|||

>Dont worry the vibecoders will tire out

This seems to rhyme with "Don't worry, the spammers will tire out"

Narrator: "The spammers in fact, did not tire out"

parliament32 1 hour ago||

The hilarious part is that spam actually makes money, while slop does not. There's no reason to tire out if it's profitable, right?

Meanwhile.. have you ever paid for a vibe-coded anything? Why would you, when you (along with everyone else) can slop the same thing together in a weekend with a $20 CC subscription?

glemmaPaul 12 hours ago|||

This indeed. They are the "type of guy type of guys", always drifting to next big thing®

I wonder whats next, I feel it might be a huge swing of the pendulum next.

charcircuit 15 hours ago||

>why is it still needed?

It's not needed. There are already alternatives that could take its place. Some of them are able to actually show you what data leaked instead of leaving you blind of what was actually included in the breach.

J-Kuhn 14 hours ago||

This is a bad idea, for multiple reasons.

https://www.troyhunt.com/here-are-all-the-reasons-i-dont-mak...

khafra 14 hours ago|||

I don't think he meant "show the actual data," I think he meant "what leaked? My name, address, phone number, email, medical records, payment history, bank account number?"

We get a "your private data is now public" email, but knowing exactly what data turns that from a depressing statement on how much corporations value their customers' privacy into something actionable.

J-Kuhn 13 hours ago|||

This information is shown on the site of the breach, as example: https://haveibeenpwned.com/Breach/BakerDistributing

charcircuit 12 hours ago|||

Yes, I meant the actual data so you know what leaked. There is a difference between leaking a password 12345678 and leaking a password that was reused on a different site. There is a difference between leaking your actual birthday and leaking 01/01/1900. There is a difference between leaking a fake address, your previous address, and your current address.

pixl97 4 hours ago||

Then feel free to browse the onion and buy data that you may be included in.

There seems to be some amount of entitlement by people in this thread to get information from a third party about what a first party to them lost.

The first party that lost your data should be the one that shows you exactly what was compromised.

charcircuit 12 hours ago|||

>Most breaches already contain hashed passwords

It could show the hash instead.

>No, it's not ok that these passwords are already out there

So it's better that people have to pay for it instead of getting this information for free?

>Because it's important to say "I don't store passwords in HIBP"

This is a personal choice.

>I'm not your personal lookup service

The idea is that this would be done by the site itself and would not require manual work by the owner.

parable 11 hours ago||

Hashes can be cracked, and end users won't understand how to create password hashes to check which one was leaked. Plus, salts exist.

Passwords shouldn't matter anyways. Use a password manager and be done with it. The real issue is metadata which can't easily be changed - phone numbers, addresses, and the like. If any of that data is leaked, it becomes much harder to contain impact. You can't move addresses every time your address gets leaked online.

ozyschmozy 14 hours ago||

Can you give examples of these alternatives?

parable 11 hours ago||

I use Snusbase (https://snusbase.com). They've been around since around 2016 and haven't had any issues legally - they're the longest-standing data breach search engine besides HIBP, as far as I know.

(This is not an advertisement.)

steveharing1 12 hours ago||

[dead]

1vuio0pswjnm7 2 hours ago|

"Today, I loaded the 1,000th data breach into Have I Been Pwned. Reflecting on that milestone number, I pondered how to mark the occasion in writing, and what immediately came to mind was a very simple question: why is it still needed?"

Maybe it isn't needed

Originally HIBP and other websites used data breach dumps to solicit further data collection^1, e.g., with a fear-based, clickbaity title like "Have I been pwned?"

Maybe HIBP serves the author, maybe that's why it's "needed"

For example, it brings him notoriety

For example, he can promote his other cybersecurity website via HIBP and paid speaking engagements

The author has expressed dissatisfaction that companies are being penalised for data breaches through class action litigation, including any compensation users might receive as part of these settlements

He believes there is no user injury

https://www.troyhunt.com/data-breaches-class-actions-and-amb...

If that's his position, if he believes users are unharmed by data breaches, then what's the point of HIBP

Is it to support the companies who are collecting data and then being breached (not the users to whom the data belongs)

1. Data collection being the root cause of the data breach problem

BoppreH 2 hours ago|

1. People come to him with breaches that are not public yet.

2. He validates the breaches through a network of volunteers who check if the credentials are real.

3. He provides an easy-to-use service for free.

What is your alternative? Having each person run their own agent scanning the corners of the internet, downloading breaches, and looking for their own accounts? What the point of that?