Friday, October 4, 2019

Stop Saying, “We Take Your Privacy and Security Seriously”

Zack Whittaker (Hacker News):

[DoorDash] said in a blog post Thursday that 4.9 million customers, delivery workers and merchants had their information stolen by hackers.


The news comes almost exactly a year after DoorDash customers complained that their accounts had been hacked. The company at the time denied a data breach and claimed attackers were running credential stuffing attacks, in which hackers take lists of stolen usernames and passwords and try them on other sites that use the same passwords. But many of the customers we spoke to said their passwords were unique to DoorDash, ruling out such an attack.

Zack Whittaker:

Companies can start off small: tell people how to reach contact them with security flaws, roll out a bug bounty to encourage bug submissions and grant good-faith researchers safe harbor by promising not to sue. Startup founders can also fill their executive suite with a chief security officer from the very beginning. They’d be better off than 95 percent of the world’s richest companies that haven’t even bothered.

But this isn’t what happens. Instead, companies would rather just pay the fines.

It does seem like breaches have been normalized. I doubt they cause many people to close their accounts, both because the business or service may not have a good replacement and because you have no way of knowing whether the alternatives are any safer.

Comments RSS · Twitter

Leave a Comment