Earbits.com Leaks 325,000 User Credentials: Misconfigured Database
DataBreaches.net seems to have lost a source, but gained a resource. 🙂
Chris Vickery is now blogging his discoveries over on MacKeeper. His first post was about a misconfigured database leaking 325,000 Earbits users’ info as well as admin credentials:
We’re talking about everything from real names, email addresses, and SHA1 password hashes (with accompanying salts), to the secret access keys of Earbits’ Amazon S3 account.
Earbits responded to his notification promptly, as Chris explains here.
IA Eng - January 21, 2016
My problem with these sot of posts is, you can point the crooks in the direction where juicy information exists. If the organization has corrected the issue, sure, post away. If the organization continues to ignore a researchers request, and they post their findings i if it has not attracted anyone to the issue so far, it might have a lot of activity if there are enough details given.
With a domain name, it is not hard to figure out where to go to get the network mapping. From there a simple scan of the network and they have the same basic info the researcher has. Better yet, if they read any original postings on the website about how this data was discovered, newly hatched, wanna be crooks can make their way over to that same method and pull data.
It’s a tough call what to report and how much. A scenario; a researcher finds some PII listed out in the www . They try contacting the organization and do not get a response over a few working days. The researcher decides to blog about the issue. A few days later a known organization smears the data over pastebin and the organization’s clients are now battered by phishing and spam campaign. Can the researcher be held accountable? The organization could claim it was investigating the issue and decided not to immediate respond to the incident. Then the organization slaps the researcher with a lawsuit saying revealing the information which was not in the public’s immediate view attributed to the eventual uncontrollable leaking of the data.
I dunno. Its a very touchy / grey area. I think its better to inform a law enforcement agency about the issue so it can be documented. That way, if they eventually do have an issue, it’s now in the hands of the law and company.