this post was submitted on 25 Dec 2023
106 points (97.3% liked)

No Stupid Questions

35920 readers
1624 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.



Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That's it.



Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.



Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.



Rule 8- All comments should try to stay relevant to their parent content.



Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- Majority of bots aren't allowed to participate here.



Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 1 year ago
MODERATORS
 

Was this always happening in this big scope? Leaks of games, data that is stolen, all these breaches in big companies. Feels like I see this everyday

all 46 comments
sorted by: hot top controversial new old
[–] [email protected] 88 points 11 months ago (1 children)

The GDPR enforces that data breaches are made public, so you may have seen a rise in publicly known breaches, starting in 2018.

[–] Ghostalmedia 10 points 11 months ago (1 children)

Many companies in the US have been reporting their breaches since the early 2010’s. All 50 states have some sort of breach notification law on the books.

[–] [email protected] 8 points 11 months ago* (last edited 11 months ago) (1 children)

I have no hard data, but from being in the industry + reading the news, my impression has been that the number of known data breaches went up significantly, even for US companies. Is the punishment maybe just completely laughable in those US laws?

That was the case here in Germany. The GDPR is heavily inspired by our data protection law (BDSG), that we had in place since the 90s. With a significant amendment, which is that punishment went up from at most 300,000€ to 20 billion € (and even more for big companies).
For many companies, this was when they realized, they actually have to adhere to data protection laws. Suddenly, we had non-IT companies reporting data breaches, which was essentially not a thing beforehand.

[–] Ghostalmedia 3 points 11 months ago

Statista has an interesting break down of US breaches over the past two decades. Unfortunately I’m having a hard time finding this type of break down for other nations.

https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/

[–] dipshit 57 points 11 months ago (3 children)

security is hard and complex. companies don’t hire security people.

[–] [email protected] 26 points 11 months ago (2 children)

Security people can help, but often can't. The issue is with software design, and most companies struggle to properly fund that.

[–] edgemaster72 13 points 11 months ago (3 children)

In addition, I don't have data to back it up, but I feel like social engineering plays at least a part in many if not most of the big hacks we see happening

[–] FuglyDuck 17 points 11 months ago

Social Engineering is absolutely the lions share of how things get done. Remember: Never work the system if you can work the people running it.

This is true of hacking, yes, but also just navigating all the bullshit bureaucracy that surrounds modern life. For hackers, cracking good passwords is almost impossible (this is to say, it is possible but it takes... a very long time. Longer than they have.) So they rely on people having terrible password discipline- they're using phishing schemes to get passwords and guess similar passwords at other places.

They're also using social engineering to convince your cell phone company they're you..... at which point the cell phone CS rep becomes extremely helpful in bypassing any security that normally routes through your phone. (Like, say SMS 2fa. Or phone call 2fa,)

[–] berkeleyblue 3 points 11 months ago

It does. And also just plain old bribing. I work for a big Tech Company, and while I‘m only a Retail employee, I have been offered quite some money throughout the years to share my logins (which honestly wouldn’t get you very far). People with more acces than me (Managment or Support employees) apparently received offers in upper 5 Digit territories. If you ask enough people, I‘m not 100% confident that all would say no to that. But to be fair, there’s a lot of hurdles now in between those things with acces being restricted to internal networks, multi factor and trusted device policies a real crackdown on who has access to what. Passwords allone don’t get you very far anymore.

[–] [email protected] 2 points 11 months ago

Layer 8 is the hardest to secure.

[–] netburnr 1 points 11 months ago

Yeah, it's a struggle with there are a dozen zero days a year for multiple brands/applications. I have at least 4 people always doing some sort of upgrade or patch being reported by infosec.

[–] CluckN 8 points 11 months ago (1 children)

My tinfoil hat security cycle is as follows

Company experiences a breach > Hire an expensive internal security team > wait 3 financial quarters > new suits wonder why they spend $$$ on security if nothing has happened > lighten security team

[–] Inucune 1 points 11 months ago

There is money to be made in getting hacked.

[–] [email protected] 5 points 11 months ago

Or companies do hire security, but the security team is incompetent and unable/unwilling to adapt to new challenges. Then it devolves into security theater, until either someone new comes who cleans house or a breach happens.

[–] [email protected] 45 points 11 months ago (2 children)

We've gotten better at reporting them

[–] SlothMama 19 points 11 months ago

Still a very small subset of the data breaches out there.

Think about it.

Start with the total amount of data breaches. Narrow that further to the data beaches that someone noticed. Narrow that further to the data breaches they reported. Narrow further to the ones that you have heard about.

What you know about it is a trailing indicator of the total incidences.

[–] [email protected] 9 points 11 months ago

We’ve gotten better at reporting them

Close. There are more laws requiring reporting within certain timeframes. Few companies report when they are not forced to.

[–] slazer2au 28 points 11 months ago

Yes, breaches have always happened. There have been some very high profile ones in the past like Sony and Adobe that caused governments to create laws forcing registered businesses to disclose breaches where Personal Identifiable Information is accessed. So you are hearing more because they are forced to disclose more.

The other side is hacking tools have become far more powerful with a much lower barrier to entry.

Previously you needed to find and build your own tools for exploits. A considerable amount of private hacking groups will sell access to their tools for others to use leading to the rise of Ransomware as a Service (RaaS). Hackers poking fun at the current XaaS naming (SaaS, IaaS, etc.)

[–] LemmyKnowsBest 22 points 11 months ago (4 children)

Ashley Madison

Equifax

23 and Me

those are the only ones I know off the top of my head because those are the ones that affected me. (my ex-husband was on the AM list; I was affected by the Equifax breach; my daughter was affected by the 23 and me breach)

[–] CyberTaco 13 points 11 months ago (1 children)

Ooo. Really sorry to hear about your husband doing that. :-(

[–] LemmyKnowsBest 10 points 11 months ago* (last edited 11 months ago) (1 children)

No problem. I thought it was hilarious.

And I didn't say husband. I clearly said ex-husband.

[–] [email protected] 14 points 11 months ago (1 children)

I think they assumed it was “husband” at the time, and only ex husband after the AM leak.

[–] FireRetardant 12 points 11 months ago

The 23 and me stuff is expecially scary. It is bad enough giving out genetic information to a company. It is even worse when that information is stolen.

Anyone interested in using a gentic ancestry service should read the book Genethics by David Suzuki & Peter Knudtson first. TLDR if a big enough genetic data bank is aquired by the wrong hands, discriminatory practices could increase significantly in job interviews, health insurance and other sectors. Chemical warfare could also be specifically tuned to specific genetic groups.

[–] Fredselfish 4 points 11 months ago (2 children)

My mortgage company had a breach and I saw three articles about three different companies having breachs. That and I think OP is also talking about the video game code leaks.

[–] zilla 2 points 11 months ago

Yeah like kinda everything. Wasn't sure if it's just more reports. In the end it's a mix of all the systems.

I thought i missed something. But all you folk's provided good information for me and i am thankful for this

[–] [email protected] 2 points 11 months ago

As someone in the thick of it, it has been a nervewracking quarter for mortgage company IT and Infosec teams. There have been several very high profile breaches the last few months.

[–] [email protected] 2 points 11 months ago* (last edited 11 months ago)

Also mint mobile recently but yeah data = money. Had to search up Ashley Madison and I'm sorry you went through that

[–] [email protected] 21 points 11 months ago (1 children)

In my experience, it’s always been this bad. However, as the world becomes more connected, it becomes easier to find systems to break into and easier to find ways to break in. It’s only recently that most countries have enacted legislation to enforce mandatory reporting of data breaches, and so we hear more about them.

Cyber security has always been (and probably always will be) an arms race between those who want to secure data and those who want to steal it. As the value and usefulness of data goes up, so does the desire of the bad guys to steal it. Identity theft and just plain ransoming of data are only ever going to increase.

Use:

  • a password manager
  • a different random password or pass phrase for every site
  • a different random email address for each site (Apple’s “Hide my Email”; Firefox Relay; DuckDuckGo mail; 33mail, for example)
  • different false details as much as possible for every site

Don’t:

  • Use the same details (name, password, email address) on every site
  • use your real details if you can possibly avoid it. If you must, misspell your details (“Johhn Smith”, “1 Maiin Street”) so that you can track the misuse of your data.
[–] Delphia 5 points 11 months ago* (last edited 11 months ago) (1 children)

Or buy a domain and run all your email through a catchall with different emails for different services.

Netflix @johnsmith.com, fishingworld @johnsmith.com etc.

Makes it easy to tell who cant be trusted.

[–] Lemminary 1 points 11 months ago (1 children)

fishingworld

Thought that said "fistingworld" and almost spilled my drink

[–] Delphia 2 points 11 months ago

Funny thing is when you have a catchall you can tell your friends your email is whatever the fuck you want. One of my buddies deadset thought my email address that everyone got was "Ifuckcats@email.com" for years.

[–] [email protected] 19 points 11 months ago (1 children)

Yes—it’s why you should use a password manager to generate a unique password for each and every site you sign up for, and think long and hard before trusting any site (or any org for that matter) with your personal information.

Haveibeenpwned.com is a website for checking which sites have leaked your data.

[–] [email protected] 6 points 11 months ago (1 children)

Make sure it's an offline password manager. It's a really bad idea to allow your password database to be stored on someone else's server.

[–] [email protected] 7 points 11 months ago* (last edited 11 months ago)

LastPass had a breach recently too

I think Bitwarden and Keypass are the good recommendations. Both can be kept local or selhosted.

If you're coming from LastPass and want something basically 1:1 similar (ex. Don't want to set up local / self hosted), Bitwarden is an easy switch

[–] reddig33 17 points 11 months ago

Data is worth money. If your bank left the back door open all the time, I’m sure people would walk in and steal money. Same thing.

[–] stackPeek 11 points 11 months ago

My personal opinion: those hackers are probably not that clever nor smart, it's just that companies doesn't often properly follows security best practices despite storing plenty amount of sensitive information.

[–] thedirtyknapkin 11 points 11 months ago

i mean, are there ever consequences to the companies? how often does it actually affect their bottom line?

it keeps happening because companies doing very little to stop it because they have little incentive to.

[–] Ghostalmedia 9 points 11 months ago

IMHO, the biggest recent change is visibility to breach notifications. The notifications have been going out in many places for over a decade, but now there are lots of products that easily expose that information to people and the media.

[–] Lemminary 7 points 11 months ago

Some companies have found that leaks create hype, especially for games. League of Legends is infamously known to get everything leaked, probably on purpose. Until players get fed up with it, at least.

[–] zilla 5 points 11 months ago

Thank you for all the answers and also tips

....time to live in the woods :D

[–] [email protected] 5 points 11 months ago

any system or network is only as strong as its weakest component - in many cases, people are the weakest component.

[–] [email protected] 4 points 11 months ago

I've been exposed so many times throughout the years, the mails were automatically moved to the spam folder.

[–] [email protected] 4 points 11 months ago

I'd say that some time ago there weren't that many leaks because not so much data was stored. But sites were modified to show spam and such.

[–] [email protected] 4 points 11 months ago

It's the new normal.

[–] SereneHurricane 2 points 11 months ago

Cyber security guy here.

Consider a large organization with a lot to lose. They usually invest proactively in a Cyber security program.

Now consider all these companies with data breaches. They were tiny startups with nothing to lose. No reason to consider an investment in cyber security best practices. Their modus operandi was quickly pushing the product to market so that the $ could start coming in.