Well, it happens... maybe next time don't let 5 months pass by before telling us we should change our passwords, you could have easily reset everyone's passwords and sent a notification, after fixing the database's security issue
so there's a little confusion here.
nothing was leaked in august, we followed the hackers request, secured our services, hired an extra sysadmin, ran extra audits.
then on january 11th we received the same request, from the same data breach, but from what seemed to be a collaborator of the original hacker, we contacted the first hacker who promised he'll solve the issue for us, but he didn't.
the data seems to have been leaked on the 14th january, we heard of it on the 15th, rushed to lock all accounts and setup the force change password strategy, posted here on the 18th.
yeah we messed up, we got scammed and screwed, lost months of revenue to try and avoid the leak for nothing, but it's not like we did nothing in 5 months...
You're right there is a little confusion here, allow me to explain.
In August 2021, there was a breach. This is the point at which data was leaked - The data left your custody and that is a leak, it's as simple as that. This is the point where you should have notified everyone.
On the 14th of January nothing changed, the data had already leaked about 5 months earlier.
I hope you've now reported the breach to the relevant authorities. (For GDPR) You've already passed the 72 hour reporting period, but better late than never.
PS: I know you've mentioned in other posts that you're a team who don't get paid for the majority of your time and work, but that doesn't change anything in regards to your responsibilities. If you can't securely handle credentials, then simply don't - Use another external identity provider. Don't require sign-in if it isn't strictly necessary. Don't accept personal information if it isn't strictly necessary.
Yes, this comment is on point !
quote:
yeah we messed up, we got scammed and screwed, lost months of revenue to try and avoid the leak for nothing, but it's not like we did nothing in 5 months...
I'm sorry but you did nothing, nothing that actually mattered or resolved the situtation.
Reading all the comments I think there are a lot of people who are working in IT sec or have enough experience to advise or even help you.
Huge mistakes have been made and I hope you listen to the community.
Saying it will never happen again just doesn't cut it.
You lost all credibility when you paid the ransom and tried to cover the breach, you can say whatever you want, but that is exactly what you tried to do.
The breach was in August it's as simpel as that.