Today SC Magazine ran the following story:
It seems Light In The Box failed to properly secure a web server and as a result, data on roughly 1.6 billion users was disclosed. While I agree with the researchers premise that this breach was avoidable, and that Light In The Box should have taken greater precautions, I also feel that the risk is being somewhat over stated. Email addresses, usernames, country of residence and IP address at the time they were using the site are all easy to discover or publicly available. Many of these details can be collected by means of passive reconnaissance. There are times when the level of outrage is justified; last weeks breach involving the loss of some 750,000 birth certificates is one example. However, I think that it is equally important to temper the message security professionals send when it comes to data breaches. Again, I'm not trying to imply that Light In The Box shouldn't be held accountable for their poor security, but I also think its over the top to suggest this type of loss will lead to a person being tricked into revealing their home address and subsequently being robbed.
Comments