Reputation.com Loses User Passwords, Emails, and Addresses (opens in new tab)

(stormpath.com)

63 pointschunsaker12y ago37 comments

37 comments

Its absolutely flabbergasting when a company, which has the sole purpose of protecting customer information, allows this to occur. They've raised 4 major institutional rounds (their last $42 million), its discomforting that neither their team nor investors thought to secure their systems better than this.

Hitchhiker12y ago

" That is a funny business because on a net basis, the whole investment management business together gives no value added to all buyers combined. That's the way it has to work. " - Charlie Munger ( http://ycombinator.com/munger.html )

furqanrydhan12y ago

I worked there as one of their first engineer's, It's surprising to me that they've raised that much $, however the hack isn't. Incompetence is a word I use fairly when describing my time there...

sneak12y ago

mumble mumble invisible hand mumble

skrebbel12y ago

I didn't get it.

1 more reply

electic12y ago

This is really bad for their reputation.

brandon_wirtz12y ago

Reputation.com has always been smarmy. It wouldn't surprise me if they sold the passwords and then claimed they lost them. (Really)

For the things Reputation.com does you have to ask why they used encrypted rather than hashed passwords. Not that hashed passwords would make me super excited to be lost, but why did Reputation.com need to keep the password around? They don't really interact with accounts, and if they do those should be stored separately from the access to the site. So the message should have been "we lost users bank account passwords" or something along those lines.

Because I know that Reputation.com is practically in the extortion business this password storing rather than hashing issue makes me think even less of them, which is difficult to do.

tekacs12y ago

The passwords _were_ salted and hashed (the article and e-mail screenshot both mention this).

It's no s/b/...crypt but they don't seem to have been 'kept around'.

tekacs12y ago

Aaand having posted this, he reads the first comment on the page which states the opposite... in contradiction to the posted screenshot of the supposed e-mail.

o_O

1 more reply

just2n12y ago

As a friendly tip, this isn't your YouTube comments page for why Node.js is stupid, so we'd appreciate it if you would take the few minutes of your time and read the article before jumping to conclusions or stating facts without credible sources.

brandon_wirtz12y ago

Really? What does encrypted mean? Hashed is not encrypted. You can't unhash. You can find a known source of that hash, but you can't "decrypt".

Knowing this. Salted and Hash and Encrypted doesn't make any sense. So either they are BSing because they are stupid. Or because they are dishonest.

From where I stand it doesn't really matter which of the two they are. When it comes to privacy I have no tolerance for Stupid or Dishonest.

As for the statement that they aren't legally required to notify you... That's not true. If any of the people on the list live or access their account from North Carolina, or any of the 14 other states that use NC's breach terms then they would have to. Since it is nearly impossible to tell that this is not the case they legally have to give notice. A company that deals in Reputation Management should know this.

PS Friendly Tip regarding credible sources I can already buy the list online. With passwords in decyphered. This doesn't lend well to they were Hashed and Salted.

2 more replies

bredren12y ago

This article sort of glosses over the exact user data lost in the data breach: names, email and physical addresses. For users some, phone numbers, date of birth and occupational info.

That is a lot of personal data to lose given Reputation.com's supposed to be opening a data privacy vault this year.[1] The founder gave interview to Fox March 1st describing Reputation.com's move into vendor relationship management.[2]

Advocates for personal data vaults / VRM business model[3][4] like Reputation.com and Personal.com stress that personal data is mishandled today, especially by data brokers. Thus it must be particularly frustrating for Reputation.com to be directly involved in a data breach.

[1] http://www.nytimes.com/2012/12/09/business/company-envisions...

[2] http://www.reputation.com/reputationwatch/multimedia/michael...

[3] https://cyber.law.harvard.edu/projectvrm/Main_Page

[4] http://www.nytimes.com/2012/02/13/technology/start-ups-aim-t...

jorts12y ago

Is there a reason why in all of these compromises that they never state the type of encryption used on passwords?

dangrossman12y ago

Because somewhere between 97% and 100% of the recipients of the message would only be confused by that information.

whatshisface12y ago

Confusion, when followed by positive words, can make people happier sometimes. (Wow, I sure am glad they are so smart!)

I don't really see a big drawback to inserting a few extra words, if those words might get reputable people to say that the bad thing that just happened wasn't really so bad.

floody-berry12y ago

It seems more likely that they don't realize it's even important until they get hammered for details on what they used. Some PR person asks an engineer and he says "Yeah, it's fine, we hash/encrypt the passwords.." and only after they eventually disclose what they were using and have it explained to them do they realize they screwed up.

DigitalSea12y ago

Losing information on the scale these guys have is no doubt going to be bad for their reputation.

lstamour12y ago

I'm always nervous when people say they've lost "encrypted" passwords. We need a "plain english" version of https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet or at least issue a warning when you create a "password" VARCHAR in MySQL ;-)

tptacek12y ago

I really hate that OWASP page (it's not as bad as it used to be --- that is, godawful --- and now it's just incoherent) and think we shouldn't be directing developers to it. If there's something "OWASP" (whatever that is) is truly bad at, it's cryptography.

ineedtosleep12y ago

I usually rely on OWASP for general guidelines, but if that page isn't enough for you, what is? (not a rhetorical question)

What should one look into in order to fill in OWASP's gaps?

gcr12y ago

What things would you change?

gcr12y ago

What's wrong with it?

kijin12y ago

> issue a warning when you create a "password" VARCHAR in MySQL

I put my salted and bcrypt'ed passwords in a CHAR or VARCHAR column named "password". Anything wrong with that? Should I change the name of the column to something like "hashed_password"?

aptwebapps12y ago

The name of the column isn't a problem, rather it's an opportunity to nudge the developer a bit. Or that's how I read the GP's comment.

1 more reply

Cherian_Abraham12y ago

Ironic. More over, this is exactly why AirBnB should not become an identity store (asking their customers to become verified by scanning and sending their passport info). I do not trust them with my identity.

xntrk12y ago

Seems like a good letter to send for a fishing scam. Call this number that has nothing to do with our company and give them more personal info to "watch your credit".

iancarroll12y ago

It's gonna need some reputation defense now.

superflit12y ago

So their reputation is lost?

joshguthrie12y ago

When I first read the title, I thought they litteraly LOST their database contents.

pentarim12y ago

Bad reputation

j / k navigate · click thread line to collapse

37 comments

useflyer12y ago

Hitchhiker12y ago

furqanrydhan12y ago

I worked there as one of their first engineer's, It's surprising to me that they've raised that much $, however the hack isn't. Incompetence is a word I use fairly when describing my time there...

sneak12y ago

mumble mumble invisible hand mumble

skrebbel12y ago

I didn't get it.

1 more reply

electic12y ago

This is really bad for their reputation.

brandon_wirtz12y ago

Reputation.com has always been smarmy. It wouldn't surprise me if they sold the passwords and then claimed they lost them. (Really)

Because I know that Reputation.com is practically in the extortion business this password storing rather than hashing issue makes me think even less of them, which is difficult to do.

tekacs12y ago

The passwords _were_ salted and hashed (the article and e-mail screenshot both mention this).

It's no s/b/...crypt but they don't seem to have been 'kept around'.

tekacs12y ago

Aaand having posted this, he reads the first comment on the page which states the opposite... in contradiction to the posted screenshot of the supposed e-mail.

o_O

1 more reply

just2n12y ago

brandon_wirtz12y ago

Really? What does encrypted mean? Hashed is not encrypted. You can't unhash. You can find a known source of that hash, but you can't "decrypt".

Knowing this. Salted and Hash and Encrypted doesn't make any sense. So either they are BSing because they are stupid. Or because they are dishonest.

From where I stand it doesn't really matter which of the two they are. When it comes to privacy I have no tolerance for Stupid or Dishonest.

PS Friendly Tip regarding credible sources I can already buy the list online. With passwords in decyphered. This doesn't lend well to they were Hashed and Salted.

2 more replies

bredren12y ago

This article sort of glosses over the exact user data lost in the data breach: names, email and physical addresses. For users some, phone numbers, date of birth and occupational info.

[1] http://www.nytimes.com/2012/12/09/business/company-envisions...

[2] http://www.reputation.com/reputationwatch/multimedia/michael...

[3] https://cyber.law.harvard.edu/projectvrm/Main_Page

[4] http://www.nytimes.com/2012/02/13/technology/start-ups-aim-t...

jorts12y ago

Is there a reason why in all of these compromises that they never state the type of encryption used on passwords?

dangrossman12y ago

Because somewhere between 97% and 100% of the recipients of the message would only be confused by that information.

whatshisface12y ago

Confusion, when followed by positive words, can make people happier sometimes. (Wow, I sure am glad they are so smart!)

I don't really see a big drawback to inserting a few extra words, if those words might get reputable people to say that the bad thing that just happened wasn't really so bad.

floody-berry12y ago

DigitalSea12y ago

Losing information on the scale these guys have is no doubt going to be bad for their reputation.

lstamour12y ago

tptacek12y ago

ineedtosleep12y ago

I usually rely on OWASP for general guidelines, but if that page isn't enough for you, what is? (not a rhetorical question)

What should one look into in order to fill in OWASP's gaps?

gcr12y ago

What things would you change?

gcr12y ago

What's wrong with it?

kijin12y ago

> issue a warning when you create a "password" VARCHAR in MySQL

I put my salted and bcrypt'ed passwords in a CHAR or VARCHAR column named "password". Anything wrong with that? Should I change the name of the column to something like "hashed_password"?

aptwebapps12y ago

The name of the column isn't a problem, rather it's an opportunity to nudge the developer a bit. Or that's how I read the GP's comment.

1 more reply

Cherian_Abraham12y ago

xntrk12y ago

Seems like a good letter to send for a fishing scam. Call this number that has nothing to do with our company and give them more personal info to "watch your credit".

iancarroll12y ago

It's gonna need some reputation defense now.

superflit12y ago

So their reputation is lost?

joshguthrie12y ago

When I first read the title, I thought they litteraly LOST their database contents.

pentarim12y ago

Bad reputation

j / k navigate · click thread line to collapse