Crazy stuff, right? MR. ROBOT stuff.
So I go to the site set up to announce the leak and click on the link to check if my information was involved. This is what I see:
If this a joke? Is this a test? Yes, I understand what is actually going on. They are utilizing a third-party service for consumers to check if their data was involved in the leak, but this was a very shitty implementation. This could have easily been set up under the Equifax domain to not cause confusion. You would think someone would think of that...
As I was typing this up, the following tweets appeared, re-tweeted by a friend:
Step 1: "don't sell your shares based on inside knowledge of the breach" ranking pretty high on that list.— Pwn All The Things (@pwnallthethings) September 8, 2017
Step 2: "sorry our credit monitoring agency got hacked but it's fine here's some free credit monitoring" also pretty high up there.— Pwn All The Things (@pwnallthethings) September 8, 2017
Step 3: make your response to getting hacked not itself look like a phishing attack— Pwn All The Things (@pwnallthethings) September 8, 2017
Step 4: helps if your "click here to see if I'm affected" link actually works.— Pwn All The Things (@pwnallthethings) September 8, 2017
Step 5: "trust us, we got awesome people to do the response" falls a bit flat if you conspicuously hide the technical details of the hack— Pwn All The Things (@pwnallthethings) September 8, 2017
Step 6: "disappointing" is the wrong word if your company trades on trust and you just got hacked for 143m SSNs, DoBs & addresses via SQLi— Pwn All The Things (@pwnallthethings) September 8, 2017
No comments:
Post a Comment