What should we do when your data is leaked online?

How long should we wait before publishing an article about a data leak?

  • Immediately

    Votes: 86 60.1%
  • Within 24 hours

    Votes: 23 16.1%
  • Within 48 hours

    Votes: 13 9.1%
  • When the company whose clients’ data was leaked approves

    Votes: 17 11.9%
  • Never

    Votes: 4 2.8%

  • Total voters
    143
Cool, and when did you join CW? As to me it indicates the data was likely dumped before that date.

Early this month. I can't remember the date unfortunately but it's definitely more than 2.5 weeks ago

Actually let me check, I think I've got records of the communication
 
Was your email address on that site? I'm curious to know as it may indicate when the data breach happened. When did you join?

The Trojan was installed in 2013.
There may have been any number of data dumps since then. It essentially gives root access to the server.
 
The dump was before about 8 June 2016.

This is interesting as someone has been sitting on the data ...

The dump published was not a complete list of CW clients, only certain auth realms.
 
I have said it in the other thread already: MyBB is the enabler and platform for the hackers to publish leaks. I do not understand why MyBB has to become the "gateway" for leaks and vulnerabilities and prescribe to affected companies a turn-around time.

If MyBB would simply not entertain the acceptance of leaks, those very same hackers would not have a platform to gain reputation/credibility from their peers. It is the same sentiment government agencies have towards terrorists. I always felt that ISPA should have taken on the role of the Electronic Frontier Foundation and manage "internet affairs" which affect their members and the public.

As long as journalists can not adhere to ethics of journalism such as truthfulness, accuracy, objectivity, impartiality, fairness and public accountability when dealing with the acquisition of information and the dissemination to the public, I do not believe that MyBB is a platform where such information should be reported. My opinion is that journalism ethics should focus on the main principle to limit harm and this often involves withholding certain details if it means the release of such information can harm companies and people.

I have taken great exception to how this paste and any prior security issue was leaked - it was never in the spirit of assisting the public or the victims of such security issue. It always had an ulterior (and often sensationalist) motive.

Perhaps ISPA with the input from a number of ISPs will now be in a position to come up with a process to manage those types of leaks and enforce that no publication should be allowed to carry such vulnerabilities and place undue pressure on affected parties. It is quite a simple exercise to have a closed forum of IT security specialists (individual companies could register information officers to participate) who can participate in such events to mitigate issues arising.

People here said "Who cares about bidorbuy and affected users" - but let me tell you that our team spent this morning phoning 123 people informing them about the leak with many being aware of it but most not knowing what to do. Those were people whose accounts we disabled as they shared the same password on our platform as well as on CrystalWeb and some admitted that they used one password for everything. When passwords leak in clear text I would have expected more responsibility from the reporters and at least make an attempt to contact the bigger companies - after all over 700 domains had been affected - many of those being high-profile companies in critical industries (financial, development etc).

TL;DR: MyBB should not be the central place for security leaks. It needs to be an independent industry body which does not benefit from news articles and has the interest of both companies and consumers at heart.
 
I have said it in the other thread already: MyBB is the enabler and platform for the hackers to publish leaks. I do not understand why MyBB has to become the "gateway" for leaks and vulnerabilities and prescribe to affected companies a turn-around time.

If MyBB would simply not entertain the acceptance of leaks, those very same hackers would not have a platform to gain reputation/credibility from their peers. It is the same sentiment government agencies have towards terrorists. I always felt that ISPA should have taken on the role of the Electronic Frontier Foundation and manage "internet affairs" which affect their members and the public.

As long as journalists can not adhere to ethics of journalism such as truthfulness, accuracy, objectivity, impartiality, fairness and public accountability when dealing with the acquisition of information and the dissemination to the public, I do not believe that MyBB is a platform where such information should be reported. My opinion is that journalism ethics should focus on the main principle to limit harm and this often involves withholding certain details if it means the release of such information can harm companies and people.

I have taken great exception to how this paste and any prior security issue was leaked - it was never in the spirit of assisting the public or the victims of such security issue. It always had an ulterior (and often sensationalist) motive.

Perhaps ISPA with the input from a number of ISPs will now be in a position to come up with a process to manage those types of leaks and enforce that no publication should be allowed to carry such vulnerabilities and place undue pressure on affected parties. It is quite a simple exercise to have a closed forum of IT security specialists (individual companies could register information officers to participate) who can participate in such events to mitigate issues arising.

People here said "Who cares about bidorbuy and affected users" - but let me tell you that our team spent this morning phoning 123 people informing them about the leak with many being aware of it but most not knowing what to do. Those were people whose accounts we disabled as they shared the same password on our platform as well as on CrystalWeb and some admitted that they used one password for everything. When passwords leak in clear text I would have expected more responsibility from the reporters and at least make an attempt to contact the bigger companies - after all over 700 domains had been affected - many of those being high-profile companies in critical industries (financial, development etc).

TL;DR: MyBB should not be the central place for security leaks. It needs to be an independent industry body which does not benefit from news articles and has the interest of both companies and consumers at heart.

If myBB had consumers' interests at heart they would not have banned the CEO of the ISP voted best in the country three times last year...
 
Well done.

Option 7 unlocked:

Ban those who are willing to stick to the truth.
 
Keep in mind the leaked information is in most likelihood immediately available to the sort of people you really don't want to have it. Someone posted the data to mybb, haveibeenpwned.com, and who knows where else. Clients need to be made aware of this asap, not when the company involved deems fit. Sure, in this case Crystalweb seems to have done the right thing, but what if they hadn't?

And if MyBB ran with the story immediately (before CW was even aware of it) then they would be as responsible if not more responsible for the leak.

Especially considering they are an SA based website reporting on an SA based company the impact would be much closer to home.

Giving the company in question warning that it firstly happened and secondly time to mitigate is of the utmost importance, otherwise MyBB might as well have done the hack themselves.
 
Last edited:
This thread is really bizarre and seems to be filled with subjective and accusatory statements at MyBB for publishing a news article about an event where a company's customer data was leaked with first name, last name, email address, dsl username and password data in clear text. MyBB did not publish the location of that data nor did they draw any conclusions from it - they reported on the fact that it had been leaked and statements from the company affected - they did not release the data nor provide links to it.

Now, all those who are so angry at MyBB maybe you should step back and direct your anger elsewhere. If you feel MyBB has crossed the line then report them to the press ombudsman or take legal action or whatever other legal avenue you feel is appropriate.

But also ensure you direct your anger at:

1) The individual or group responsible for the hack - their motivation is unknown and frankly irrelevant - their actions are the criminal element.
2) Companies who share their customer information with third parties or service providers and then do not ensure that the data is protected and basic security principles (clear text etc) are adhered to.
3) Third parties who take it upon themselves to find this leaked data and take possession of it, process it against other databases, make reference and post ways the location of the data is still obtainable, post images of links to the data and then make the data available to another third party for reporting of such data which is then further disseminated publicly - all on a public forum and then claim the moral high ground when compared to a news site who reported on the event only.

It should never be a situation where the company affected by such a leak should dictate the terms of how, when and where the press can report on matters which are newsworthy.
 
lol - be angry at people who use a leak to ensure their own customers are safeguarded?

ok then.
 
lol - be angry at people who use a leak to ensure their own customers are safeguarded?

ok then.

You can safeguard your own customers without posting images of the google cache containing the actual link of the leaked data. And ideally you should do so using legally obtained data as opposed to the actual leak - or is it now legal to possess stolen property? Thanks for giving me the opportunity to provide clarity.
 
This thread is really bizarre and seems to be filled with subjective and accusatory statements at MyBB for publishing a news article about an event where a company's customer data was leaked with first name, last name, email address, dsl username and password data in clear text. MyBB did not publish the location of that data nor did they draw any conclusions from it - they reported on the fact that it had been leaked and statements from the company affected - they did not release the data nor provide links to it.

Now, all those who are so angry at MyBB maybe you should step back and direct your anger elsewhere. If you feel MyBB has crossed the line then report them to the press ombudsman or take legal action or whatever other legal avenue you feel is appropriate.

But also ensure you direct your anger at:

1) The individual or group responsible for the hack - their motivation is unknown and frankly irrelevant - their actions are the criminal element.
2) Companies who share their customer information with third parties or service providers and then do not ensure that the data is protected and basic security principles (clear text etc) are adhered to.
3) Third parties who take it upon themselves to find this leaked data and take possession of it, process it against other databases, make reference and post ways the location of the data is still obtainable, post images of links to the data and then make the data available to another third party for reporting of such data which is then further disseminated publicly - all on a public forum and then claim the moral high ground when compared to a news site who reported on the event only.

It should never be a situation where the company affected by such a leak should dictate the terms of how, when and where the press can report on matters which are newsworthy.

Truly bizarre. Lot of stuff deleted and people banned. Maybe you are late to the party.
 
So the problem is I cannot select an option on the Poll.


Then the company directly affected should be informed, and once that is done and a reasonable time for publication is determined the data should be published.

The option that implies approval is the closest to what I would opt for, BUT I am not sure "approval" is the correct criteria. It does not allow for a company that does nothing. Then it is important to publish ...

PS: This is a topic which should be researched by someone, why not MYBB?
The purpose being to find out what best practice is -- we are not the first to go through such an event.
I think there should be a "security forum/ community" somewhere that needs to be advised immediately ( This is a group ALL large business belong to) and who can immediately assess the damage and then advise their clients directly if affected.

If such a group does not exist then it is high time it gets created.


I have said it in the other thread already: MyBB is the enabler and platform for the hackers to publish leaks. I do not understand why MyBB has to become the "gateway" for leaks and vulnerabilities and prescribe to affected companies a turn-around time.

If MyBB would simply not entertain the acceptance of leaks, those very same hackers would not have a platform to gain reputation/credibility from their peers. It is the same sentiment government agencies have towards terrorists. I always felt that ISPA should have taken on the role of the Electronic Frontier Foundation and manage "internet affairs" which affect their members and the public.

As long as journalists can not adhere to ethics of journalism such as truthfulness, accuracy, objectivity, impartiality, fairness and public accountability when dealing with the acquisition of information and the dissemination to the public, I do not believe that MyBB is a platform where such information should be reported. My opinion is that journalism ethics should focus on the main principle to limit harm and this often involves withholding certain details if it means the release of such information can harm companies and people.

I have taken great exception to how this paste and any prior security issue was leaked - it was never in the spirit of assisting the public or the victims of such security issue. It always had an ulterior (and often sensationalist) motive.

Perhaps ISPA with the input from a number of ISPs will now be in a position to come up with a process to manage those types of leaks and enforce that no publication should be allowed to carry such vulnerabilities and place undue pressure on affected parties. It is quite a simple exercise to have a closed forum of IT security specialists (individual companies could register information officers to participate) who can participate in such events to mitigate issues arising.

People here said "Who cares about bidorbuy and affected users" - but let me tell you that our team spent this morning phoning 123 people informing them about the leak with many being aware of it but most not knowing what to do. Those were people whose accounts we disabled as they shared the same password on our platform as well as on CrystalWeb and some admitted that they used one password for everything. When passwords leak in clear text I would have expected more responsibility from the reporters and at least make an attempt to contact the bigger companies - after all over 700 domains had been affected - many of those being high-profile companies in critical industries (financial, development etc).

TL;DR: MyBB should not be the central place for security leaks. It needs to be an independent industry body which does not benefit from news articles and has the interest of both companies and consumers at heart.

Yes fully agree with this idea.
 
Register on breachalarm.com
If your password is leaked, as happened twice with me, you can change it quickly.

Does it actually show you the source of the breach / leak? AFAIK breachalarm is not free whereas haveibeenpwned.com is (and also allows you to register full domains for free as well). I honestly trust a real person who is a security research more than some arbitrary website.

I also think that this poll will be interpreted wrong - the majority of voters say "Immediately" but I am pretty sure this will just be used to ascertain that future incidents can be treated in the same way.

I think that most responders had with the "Immediately"-response in mind that the incident is reported responsibly. This means that if company or journalist receive notice of a breach or leak, that the relevant stakeholders are contacted. In SA this poses a problem as I don't even think POPI (nor ECTA) appropriately addresses how such report should happen.

Overseas federal law is more specific as it literally says that depending on the data leaked, customers need to be informed immediately (especially when social security numbers, health records or financial information leaks). In the absence of local data breach notification laws and until an industry body such as ISPA (or ICASA or Dep. of Communications) takes the custodian of such incidents it is only fair and reasonable to expect that a media outlet such as MyBB handles this responsibly.

Lets step through the 5 rules to apply in a breach and what went wrong:

1) Be open and sincere
Admit where the fault occurred and take responsibility. Crystal Web did this.

2) Provide details
Explain why the situation took place. I know that this was explained in CW mails to customers but did not properly reflect in the MyBB article. The 3rd party provider did not notify anyone or has fully disclosed to affected parties what happened. It is only known that CW has notified their customers, despite there being some rumors that the 3rd party had control of much more data.

3) Mitigate
Describe solutions for affected users. This resulted in password resets. MyBB failed in mitigating that the leak was posted on the forum and remained on Google caches for 2 (!) days. Yes, the information leaked and was available on lainfile.pw since 25/06, but had MyBB moderators had access to Google Search Console, they could have removed the posts and profile pages from the caches within minutes. My emails to MyBB asking for the removal remained unacknowledged. My own attempt of removal was a futile exercise as a non-webmaster removal request takes up to 24 hours per request.

Lesson learned: The MyBB moderators should be empowered to remove content from search engines at any time of the day. I also maintain that MyBB established itself as a go-to-point for hackers and leakers to publish/boast about those breaches. If the medium would not entertain criminal elements it would not become the platform for such leaks. It also did not help that the article was posted on a Saturday morning. No other mitigation occurred from the publisher or the 3rd party service provider.

Let's also briefly discuss why I think that MyBB is responsible for not mitigating this incident:
- A new user "~hades" registered an account on MyBB on the 25th at 3:40am and then posted a link to a well-kon hacker paste site where he uploaded a list with over 9000 email addresses and passwords in clear text/unencrypted.
- The post(s) from "~hades" where deleted by mods shortly afterwards, but Google cache and other search engines indexed those posts literally minutes after the posts went up.
- MyBB could very well decide (via robots.txt and robots-meta tags) to not make posts crawlable to search engines for a certain period of time. If this had been done (i.e. forum posts become only crawlable 3-6 hours after posting), the Google cache issue would have not happened. Right now all content is immediately crawlable and I would also think that the forum software frequently pings search engines with updates/Sitemaps
- MyBB could very well decide to make links posted within forum posts not searchable.
- MyBB could also restrict posting rights to newcomers. MyBB could implement a rule that posts from newcomers with off-site links need to be moderated or prevent posting links for a certain period of time.


4) Educate
I would have expected more here. Especially from an IT publication with such reach. The article reflected the leak but did not assist affected parties on what to do. My expectation is that if you report on an issue affecting a good 5000 people, that you equally take ownership of it. In our discussions with 123 affected users many did not quite understand why the had to change passwords on all sites and had no idea what a safe, unique password comprised and that they could manage passwords with password managers securely.

5) Discuss
Leading up to posting the article, the journalists could have very well engaged with industry experts, analysts and possibly companies affected by the leak without mentioning specific - i.e. ask a security expert how he would handle the leak of unencrypted passwords or ask security teams of the affected companies what their policies and procedures are when unencrypted details are leaked.

It would have very well been possible that some of the bigger companies could have been warned about an inbound leak without giving specifics. Hopefully in the near future some central body in SA will be able to take the ownership of this (my personal choice would be ISPA as they are "close enough to the internet" and already have the correct contacts to assist with this.

I don't think anyone affected can walk away without reflecting and improving:
- The hacker/leaker for not providing responsible disclosure of the leak (and continuing to do so)
- Crystal Web for assuming that the 3rd party provider applies industry best practices when it comes to storing security sensitive information (yes, it is unbelievable that one would store passwords unencrypted)
- The 3rd party provider for doing such a horrible job in storing passwords. Let's also not forget that a C99shell was installed on their server. The C99shell would not be an issue if passwords were encrypted - then it is "just a leak" with encrypted passwords and some PII (email, name).
- Each user who chose to use a shared password and thus increasing his/her own exposure during this incident
- MyBB for not appropriately acting on the removal of the posts and cached information.
 
Top
Sign up to the MyBroadband newsletter