Security gaffes and Twitter: how to commit an own goal
Eric De Grasse
Chief Technology Officer
15 February 2021 (Paris, France) – So … some advice for those of you going online to discuss how a security breach has affected your company: don’t dox yourself by Tweeting about data breaches. Ben Dickson, in an interesting piece in The Next Web (click here), noticed several NetGalley users doing just that following the breech of that site’s database backup file last month. He writes:
“The database in question included sensitive user information, including usernames and passwords, names, email addresses, mailing addresses, birthdays, company names, and Kindle email addresses. Unfortunately, many users took to social media and started discussing the incident without thinking about what they are putting up for everyone to see. And in their haste to be the first to tweet about the breach, many users made awful mistakes, which could further compromise their security.”
A couple examples include the person who announced they use the same password everywhere (!) and someone who revealed their full name by reproducing their NetGalley notification. (Her Twitter account uses a pseudonym.) To make matters worse, it appears the database stored user information unencrypted. Though NetGalley itself does not keep incredibly sensitive data like banking information, hackers have ways of twisting even the most benign information to their dastardly goals. The write-up continues:
“After the NetGalley hack, the attackers have access to a fresh list of emails and passwords. They can use this information in credential stuffing attacks, where they enter the login information obtained from a data breach on other services and possibly gain access to other, more sensitive accounts. Cross-service account hijacking is something that happens often and can even include high-profile tech executives. The attacks can also combine the data from the NetGalley breach with the billions of user account records leaked in other data breaches to create more complete profiles of their targets. So, alone, the NetGalley data breach might not look like a big deal. But … every piece of information that falls into the hands of malicious actors can become instrumental to a larger attack.”
The e-discovery community had a similar issue in 2019 when a major vendor was hacked and employees (as well as legaltech analysts) Tweeted about it, providing a wealth of information. The vendor quickly raced around the Twitterverse getting the info taken down.
Dickson hastens to add that people need not stop tweeting about data breeches altogether. Doing so can actually provide valuable discussion, as the closing examples in his article illustrate. Just be careful not to include personal details the hackers’ might add to their collection.