General > General Technical Chat

Check your email address(s) and passwords for cyber security breaches

<< < (8/22) > >>

Halcyon:
I'm aware of HIPAA and other such privacy regulations (mostly in Australia). My day job (which happens to be in cybersecurity) involves conducting security assessments as well as investigating breaches. Some of these breaches are "reportable" (for example, financial sectors). We do have privacy laws in Australia which do control how and what information is shared and of course that varies among organisations and industries. Since we're talking about laws and regulations, in this particular instance, I'm not bound by legislation to seek your permission, but that's getting beyond the scope of what happened/what we are talking about. You may object based on your own personal opinions and morals.

I agree with you, an email address is personally identifiable (in most respects) and whilst I understand where you're coming from and the concerns you raised, let me make it clear that your (or anyone else's) email address was not "shared" with anyone. It has not been stored anywhere except for the servers that run the EEVblog forum (and that's because you provided it). There is a clear distinction between "sharing" and my actions of submitting an email address for checking against a known list and then having that data discarded. No one else but me saw or will ever see those address.

Also, whilst HIBP does provide a list of compromised password hashes for anyone to download, it does not (and will never) supply a complete dump of compromised email addresses. That is the opposite to cybersecurity and is not what that service is about.

At the end of the day, I stand by my actions and strongly believe they were reasonable and justifiable. My actions were ultimately for the greater good. Should the breach actually have occurred on our end, I suspect people would have a very different reaction. Damned if you do, damned if you don't.

thm_w:
Imagine caring about security of others and having people complain that you brought it up.

Shock:
In the world of security posting credentials used on one website to another non related website is the worst idea ever (as already stated). Even if it is "trusted", which is a total fallacy.

Better advice is use unique strong passwords and if required ensure a reliable recovery method to regain access to a lost email account. If you suspect a website account has been compromised check the recovery email and security questions etc and then change passwords, again unique and strong.

I know the argument claiming their info was already in the public domain is enticing but users would reasonably expect those details (especially if hidden) not to be entered into another website without permission.

Halcyon:
At the end of the day, the advice I have given is sound, but it doesn't work for everyone. Just like not everyone likes long, complex passwords, or the use of password managers. Adopt your own cybersecurity posture in a way that suits you based on some of the fundamental principles. There are countless sources of reliable information out there from plenty of other industry experts, as I said, you don't have to take my word for it, conduct your own research and make your own assessments.

We could go back and forth for weeks. I've said what I've said, I've done what I've done. Upon review, I wouldn't have approached things any differently.

Unless there are any further developments, I consider this matter appropriately dealt with. Feel free to discuss among yourselves.

Monkeh:
 :popcorn:

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod