Register on breachalarm.com
If your password is leaked, as happened twice with me, you can change it quickly.
Does it actually show you the source of the breach / leak? AFAIK breachalarm is not free whereas haveibeenpwned.com is (and also allows you to register full domains for free as well). I honestly trust a real person who is a security research more than some arbitrary website.
I also think that this poll will be interpreted wrong - the majority of voters say "Immediately" but I am pretty sure this will just be used to ascertain that future incidents can be treated in the same way.
I think that most responders had with the "Immediately"-response in mind that the incident is reported responsibly. This means that if company or journalist receive notice of a breach or leak, that the relevant stakeholders are contacted. In SA this poses a problem as I don't even think POPI (nor ECTA) appropriately addresses how such report should happen.
Overseas federal law is more specific as it literally says that depending on the data leaked, customers need to be informed immediately (especially when social security numbers, health records or financial information leaks). In the absence of local data breach notification laws and until an industry body such as ISPA (or ICASA or Dep. of Communications) takes the custodian of such incidents it is only fair and reasonable to expect that a media outlet such as MyBB handles this responsibly.
Lets step through the 5 rules to apply in a breach and what went wrong:
1) Be open and sincere
Admit where the fault occurred and take responsibility. Crystal Web did this.
2) Provide details
Explain why the situation took place. I know that this was explained in CW mails to customers but did not properly reflect in the MyBB article. The 3rd party provider did not notify anyone or has fully disclosed to affected parties what happened. It is only known that CW has notified their customers, despite there being some rumors that the 3rd party had control of much more data.
3) Mitigate
Describe solutions for affected users. This resulted in password resets. MyBB failed in mitigating that the leak was posted on the forum and remained on Google caches for 2 (!) days. Yes, the information leaked and was available on lainfile.pw since 25/06, but had MyBB moderators had access to Google Search Console, they could have removed the posts and profile pages from the caches within minutes. My emails to MyBB asking for the removal remained unacknowledged. My own attempt of removal was a futile exercise as a non-webmaster removal request takes up to 24 hours per request.
Lesson learned: The MyBB moderators should be empowered to remove content from search engines at any time of the day. I also maintain that MyBB established itself as a go-to-point for hackers and leakers to publish/boast about those breaches. If the medium would not entertain criminal elements it would not become the platform for such leaks. It also did not help that the article was posted on a Saturday morning. No other mitigation occurred from the publisher or the 3rd party service provider.
Let's also briefly discuss
why I think that MyBB is responsible for not mitigating this incident:
- A new user "~hades" registered an account on MyBB on the 25th at 3:40am and then posted a link to a well-kon hacker paste site where he uploaded a list with over 9000 email addresses and passwords in clear text/unencrypted.
- The post(s) from "~hades" where deleted by mods shortly afterwards, but Google cache and other search engines indexed those posts literally minutes after the posts went up.
- MyBB could very well decide (via robots.txt and robots-meta tags) to not make posts crawlable to search engines for a certain period of time. If this had been done (i.e. forum posts become only crawlable 3-6 hours after posting), the Google cache issue would have not happened. Right now all content is immediately crawlable and I would also think that the forum software frequently pings search engines with updates/Sitemaps
- MyBB could very well decide to make links posted within forum posts not searchable.
- MyBB could also restrict posting rights to newcomers. MyBB could implement a rule that posts from newcomers with off-site links need to be moderated or prevent posting links for a certain period of time.
4) Educate
I would have expected more here. Especially from an IT publication with such reach. The article reflected the leak but did not assist affected parties on what to do. My expectation is that if you report on an issue affecting a good 5000 people, that you equally take ownership of it. In our discussions with 123 affected users many did not quite understand why the had to change passwords on all sites and had no idea what a safe, unique password comprised and that they could manage passwords with password managers securely.
5) Discuss
Leading up to posting the article, the journalists could have very well engaged with industry experts, analysts and possibly companies affected by the leak without mentioning specific - i.e. ask a security expert how he would handle the leak of unencrypted passwords or ask security teams of the affected companies what their policies and procedures are when unencrypted details are leaked.
It would have very well been possible that some of the bigger companies could have been warned about an inbound leak without giving specifics. Hopefully in the near future some central body in SA will be able to take the ownership of this (my personal choice would be ISPA as they are "close enough to the internet" and already have the correct contacts to assist with this.
I don't think anyone affected can walk away without reflecting and improving:
- The hacker/leaker for not providing responsible disclosure of the leak (and continuing to do so)
- Crystal Web for assuming that the 3rd party provider applies industry best practices when it comes to storing security sensitive information (yes, it is unbelievable that one would store passwords unencrypted)
- The 3rd party provider for doing such a horrible job in storing passwords. Let's also not forget that a C99shell was installed on their server. The C99shell would not be an issue if passwords were encrypted - then it is "just a leak" with encrypted passwords and some PII (email, name).
- Each user who chose to use a shared password and thus increasing his/her own exposure during this incident
- MyBB for not appropriately acting on the removal of the posts and cached information.