This blog post is really confusing. They announce that it was priced much lower than other data sets, then had to wait for other sources before they suggested it was likely to have been purchased...
This blog post is really confusing. They announce that it was priced much lower than other data sets, then had to wait for other sources before they suggested it was likely to have been purchased by bad actors. 1) It was already HELD by a bad actor in the first place, and 2) if it was that cheap no shit it's been purchased.
The data was
name, email address, last four of credit card, most recent IP address, and hashed & salted password
Which is not that bad tbh, so long as their implementation of hashing and salting is up to snuff. But their complete lack of transparency regarding the nature of the breach
The investigation identified several possible vectors of attack that have since been remedied.
aka "our practices were so bad we have no fucking clue how we were breached". If they have closed a vector, why not disclose what it was? Of course the answer is nobody wants to admit to having u:admin p:password credentials out there, or having everyone and their dog messaging around the same SSH key, but even big corporations have the balls to admit it after they're caught.
I don't think this is a really fair breakdown and I'm not sure why you find it confusing. The one who sells the data is often not considered to be the same as the people who purchase and...
I don't think this is a really fair breakdown and I'm not sure why you find it confusing.
They announce that it was priced much lower than other data sets, then had to wait for other sources before they suggested it was likely to have been purchased by bad actors.
It was already HELD by a bad actor in the first place
The one who sells the data is often not considered to be the same as the people who purchase and maliciously use the data. While one could consider the person who procured data from the breach to be a "bad actor" that individual or group is not particularly likely to use that data to some advantage, but the purchaser is, so what they are saying is "this data was breached and this data was purchased and someone is likely going to try to use this data".
"our practices were so bad we have no fucking clue how we were breached"
Having made a statement similar to this in the past (though not on this scale) I would guess that they have a pretty good guess about what the problem was, and in the course of figuring that out found some other things. Not explaining all the things that one has done wrong in infrastructure isn't a bad idea. While it's possible that they had:
u:admin p:password credentials out there, or having everyone and their dog messaging around the same SSH key
it's also possible that there was a reasonable attack vector that they had not considered and do not want to publish. There are also a variety of things one does not publish when things like this happen, and it could be any number of them, including things like a malicious former employee taking data which would result in an investigation that you cannot talk about.
Have you worked in cybersecurity? This is absolutely false - they do both. In any event they needed alerts from others to indicate to them that the data had been bought, rather than the simple...
that individual or group is not particularly likely to use that data to some advantage
Have you worked in cybersecurity? This is absolutely false - they do both. In any event they needed alerts from others to indicate to them that the data had been bought, rather than the simple fact that it was for sale.
If the vector is closed, it can be discussed. If it isn't closed this long after the event, the company should purge their databases as they are not capable of managing them correctly. If the vector was people, say so (there is no such thing as an investigation so sensitive you cannot say "the vector was a person rather than system configuration". Transparency in breach reporting is one of the only ways consumers have to vote with their feet when it comes to companies making shithouse decisions regarding the privacy of those consumers' data. Assuming the worst where that transparency does not occur must be the default position.
Just to be clear, I'm not ignoring this, I'm just not interested in continuing this part of the discussion. The person who wrote the article drew a distinction here, and that's all that happened....
Have you worked in cybersecurity? This is absolutely false - they do both.
Just to be clear, I'm not ignoring this, I'm just not interested in continuing this part of the discussion. The person who wrote the article drew a distinction here, and that's all that happened. If you're interested in discussing what people do with breached data, it would be an interesting post on its own, but I don't think it needs to be part of this, and I also don't think it's worthwhile to split hairs to the degree that you were doing.
In any event they needed alerts from others to indicate to them that the data had been bought, rather than the simple fact that it was for sale.
They acted immediately as if it had been bought (as they state in the article). They also stated that in addition to this, they have reports that it had been bought. There's no indication that they acted at any point as if the data had not been purchased. This is another time where you are splitting hairs or harping on a particular turn of phrase. It's not really a worthwhile way to spend one's time.
If the vector is closed, it can be discussed.
See previous comment re: an instance where I was involved in a breach and literally could not legally discuss the situation. If I have been involved in a case where it has happened, it's not difficult to understand that these situations can exist.
Transparency in breach reporting is one of the only ways consumers have to vote with their feet
If you value transparency, then "vote with your feet", which I assume means leaving this service. I strongly encourage you to stop using Roll20 if you feel like transparency with breaches is a key factor for you. For most people, transparency in this doesn't matter, because they won't understand what would be said. I know dozens of people who use Roll20 and not a single one of them care about the transparency level of this report; they care that they identified the issue and have worked to fix it. I'll reiterate though, that if you feel strongly about this, leave the service or ask Jeff to give a more technical account of the data breach. They've really just started their report on this, so it's possible he'd provide one.
I asked them if they could tell me how did the attacker get through their system, as I'm compsci student and I'm interested in real life scenarios. After 6(!) days, this came back: (emph. mine). I...
I asked them if they could tell me how did the attacker get through their system, as I'm compsci student and I'm interested in real life scenarios.
After 6(!) days, this came back:
Hello,
Not a problem, I can help with that. Before we can process your request, we do need to verify your ownership of this Roll20 account. By confirming, you are certifying that you are the owner of the Roll20 account in question and you wish to receive an example of your data stored in the Roll20 Accounts database.
If this is the email address associated with your Roll20 account, please reply to this email, and include the word "yes" in your response.
If this email address is not the one associated with your Roll20 Account, please send a request from that email address.
Thank you!
Miles
(emph. mine). I wonder if I'll be able to get to a human.
After hell a lot time, I got an email. I asked them if they could disclose at least a type of vulnerability. I got this: (Note: I redacted some records for privacy reasons.) Maybe they'll let me...
After hell a lot time, I got an email. I asked them if they could disclose at least a type of vulnerability. I got this:
(Note: I redacted some records for privacy reasons.)
Hello,
Thank you for your patience in this matter. Our data protection officer has forwarded your information to you via a separate email. The email should arrive in your inbox within 24 hours. If you have not received this email please let us know and we can continue to assist further.
Regards,
The Roll20 Team
Hi <FirstName>,
Per your request and verification, the following is the data we currently have associated with your account in our database. If you have logged in or used Roll20 since December 2018, these specific values will differ from the data at the time of the breach, though the data structure is the same.
First Name: <FirstName>
Last Name:
Account ID: 3480747
Email: <Email>
BCrypt Password Hash: $2a$10$V/gw4tXgoKf4bAUynuLh5ueQbtxq(...)
Last Logged in IP: 217.(...).(...).(...)
Time Played: 6280
Last 4 digits of most recent card on file: [null]
Internal User Role Designation: subscriber
Tips enabled: true
Image Web Search Default: true
User Quota: 100
Current Used Quota (deprecated, unused): 0
Quota Device Count: 2
Nickname: <Nickname>
Creation Time: 1529091625
Stripe Customer ID: [null]
Stripe Test Customer ID: [null]
Paypal Customer ID: [null]
Single Use Confirm Code: [null]
Single Use Password Reset Code: [null]
Google+ ID (deprecated, unused): [null]
Last Login Time: 1567794293
Last Time Seen in Game: 1567805820
Last Consecutive Time Start: 1567794282
Roll Server Count: 233
Marketplace Upload Flag: [null]
User Avatar:
Language: en
Agreed to CoC: [null]
Banned Until: N/A
Internal Firebase Data - Ping: 300
Internal Firebase Data - Num: 20
Internal Firebase Data - Camp: 3404151
Last Session: <redacted for security> (Note: This one was redacted by them)
Translator:
User Tags:
User Bio:
Games you play (selected):
Games you want to play (selected):
Bio Last Updated: 0
LFG Flag: [null]
Achievements: playedwith_5,played_10h,playedwith_10,rolled_100,played_50h,played_100h
Players Played With: 3388180,3388865,3389052,3472861,3472978,3474950,3475349,3480810,3644412,3712328,3764713,3764805,3797579,3798793,3836647,3836759,4003066,4048042,4141286,3008034,3952395,3297404,4396416,3127157,4525393
Opt Out Flag: [null]
Confirmation Flags - Unconfirmed: [null]
Confirmation Flags - Personal Welcome: [null]
Confirmation Flags - iPad Editing: [null]
Hidden Tutorials: startvideo
Forum All Viewed: 0
Email Notification Setting: 1
Captcha Flag: [null]
Previous Nicknames: .
Last Notification: 1553372757
Thank you for your patience and understanding through this process. Please let me know if you have any additional questions.
Jeffrey Lamb
Data Protection Officer, Roll20
This blog post is really confusing. They announce that it was priced much lower than other data sets, then had to wait for other sources before they suggested it was likely to have been purchased by bad actors. 1) It was already HELD by a bad actor in the first place, and 2) if it was that cheap no shit it's been purchased.
The data was
Which is not that bad tbh, so long as their implementation of hashing and salting is up to snuff. But their complete lack of transparency regarding the nature of the breach
aka "our practices were so bad we have no fucking clue how we were breached". If they have closed a vector, why not disclose what it was? Of course the answer is nobody wants to admit to having u:admin p:password credentials out there, or having everyone and their dog messaging around the same SSH key, but even big corporations have the balls to admit it after they're caught.
I don't think this is a really fair breakdown and I'm not sure why you find it confusing.
The one who sells the data is often not considered to be the same as the people who purchase and maliciously use the data. While one could consider the person who procured data from the breach to be a "bad actor" that individual or group is not particularly likely to use that data to some advantage, but the purchaser is, so what they are saying is "this data was breached and this data was purchased and someone is likely going to try to use this data".
Having made a statement similar to this in the past (though not on this scale) I would guess that they have a pretty good guess about what the problem was, and in the course of figuring that out found some other things. Not explaining all the things that one has done wrong in infrastructure isn't a bad idea. While it's possible that they had:
it's also possible that there was a reasonable attack vector that they had not considered and do not want to publish. There are also a variety of things one does not publish when things like this happen, and it could be any number of them, including things like a malicious former employee taking data which would result in an investigation that you cannot talk about.
Have you worked in cybersecurity? This is absolutely false - they do both. In any event they needed alerts from others to indicate to them that the data had been bought, rather than the simple fact that it was for sale.
If the vector is closed, it can be discussed. If it isn't closed this long after the event, the company should purge their databases as they are not capable of managing them correctly. If the vector was people, say so (there is no such thing as an investigation so sensitive you cannot say "the vector was a person rather than system configuration". Transparency in breach reporting is one of the only ways consumers have to vote with their feet when it comes to companies making shithouse decisions regarding the privacy of those consumers' data. Assuming the worst where that transparency does not occur must be the default position.
Just to be clear, I'm not ignoring this, I'm just not interested in continuing this part of the discussion. The person who wrote the article drew a distinction here, and that's all that happened. If you're interested in discussing what people do with breached data, it would be an interesting post on its own, but I don't think it needs to be part of this, and I also don't think it's worthwhile to split hairs to the degree that you were doing.
They acted immediately as if it had been bought (as they state in the article). They also stated that in addition to this, they have reports that it had been bought. There's no indication that they acted at any point as if the data had not been purchased. This is another time where you are splitting hairs or harping on a particular turn of phrase. It's not really a worthwhile way to spend one's time.
See previous comment re: an instance where I was involved in a breach and literally could not legally discuss the situation. If I have been involved in a case where it has happened, it's not difficult to understand that these situations can exist.
If you value transparency, then "vote with your feet", which I assume means leaving this service. I strongly encourage you to stop using Roll20 if you feel like transparency with breaches is a key factor for you. For most people, transparency in this doesn't matter, because they won't understand what would be said. I know dozens of people who use Roll20 and not a single one of them care about the transparency level of this report; they care that they identified the issue and have worked to fix it. I'll reiterate though, that if you feel strongly about this, leave the service or ask Jeff to give a more technical account of the data breach. They've really just started their report on this, so it's possible he'd provide one.
I asked them if they could tell me how did the attacker get through their system, as I'm compsci student and I'm interested in real life scenarios.
After 6(!) days, this came back:
(emph. mine). I wonder if I'll be able to get to a human.
After hell a lot time, I got an email. I asked them if they could disclose at least a type of vulnerability. I got this:
(Note: I redacted some records for privacy reasons.)
Maybe they'll let me ask a human now.