Its absolutely flabbergasting when a company, which has the sole purpose of protecting customer information, allows this to occur. They've raised 4 major institutional rounds (their last $42 million), its discomforting that neither their team nor investors thought to secure their systems better than this.
Reputation.com has always been smarmy. It wouldn't surprise me if they sold the passwords and then claimed they lost them. (Really)<p>For the things Reputation.com does you have to ask why they used encrypted rather than hashed passwords. Not that hashed passwords would make me super excited to be lost, but why did Reputation.com need to keep the password around? They don't really interact with accounts, and if they do those should be stored separately from the access to the site. So the message should have been "we lost users bank account passwords" or something along those lines.<p>Because I know that Reputation.com is practically in the extortion business this password storing rather than hashing issue makes me think even less of them, which is difficult to do.
This article sort of glosses over the exact user data lost in the data breach: names, email and physical addresses. For users some, phone numbers, date of birth and occupational info.<p>That is a lot of personal data to lose given Reputation.com's supposed to be opening a data privacy vault this year.[1] The founder gave interview to Fox March 1st describing Reputation.com's move into vendor relationship management.[2]<p>Advocates for personal data vaults / VRM business model[3][4] like Reputation.com and Personal.com stress that personal data is mishandled today, especially by data brokers. Thus it must be particularly frustrating for Reputation.com to be directly involved in a data breach.<p>[1] <a href="http://www.nytimes.com/2012/12/09/business/company-envisions-vaults-for-personal-data.html?pagewanted=all" rel="nofollow">http://www.nytimes.com/2012/12/09/business/company-envisions...</a><p>[2] <a href="http://www.reputation.com/reputationwatch/multimedia/michael-fertik-fox-markets-now-data-vault" rel="nofollow">http://www.reputation.com/reputationwatch/multimedia/michael...</a><p>[3] <a href="https://cyber.law.harvard.edu/projectvrm/Main_Page" rel="nofollow">https://cyber.law.harvard.edu/projectvrm/Main_Page</a><p>[4] <a href="http://www.nytimes.com/2012/02/13/technology/start-ups-aim-to-help-users-put-a-price-on-their-personal-data.html/" rel="nofollow">http://www.nytimes.com/2012/02/13/technology/start-ups-aim-t...</a>
I'm always nervous when people say they've lost "encrypted" passwords. We need a "plain english" version of <a href="https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet" rel="nofollow">https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet</a> or at least issue a warning when you create a "password" VARCHAR in MySQL ;-)
Ironic. More over, this is exactly why AirBnB should not become an identity store (asking their customers to become verified by scanning and sending their passport info). I do not trust them with my identity.
Seems like a good letter to send for a fishing scam. Call this number that has nothing to do with our company and give them more personal info to "watch your credit".