The EPIK hack is epic

I don’t think any software engineer would run things this way, if he have a say in the way things run. So probably got overwrite by the “requirements” of the company and these requirements had a reason to want the infor in clear text. I just don’t believe we can attribute this only to stupidity.

Fair. When a significant part of the population doesn’t care, it doesn’t matter what would show up.

No one’s had the ability nor time to crunch through this yet. Give it time.

Do it!

Whether or not the public at large cares, I’d hope it would be looked at by the FBI.

Did they get the routers!?

Yeah, I guess. We’ve seen these kind of “We Got Em!” stories before, though. I’m skeptical until I see some actual fire through all the smoke.

Dude. There is a phrase that covers this situation. But I can’t recall it right now.

They really don’t like to hear a “no”, let alone “no, and you’re an idiot for asking”, so, yeah, most likely.

I suspect it’s a matter of them being lazy and mostly grifters. You don’t spend a lot of money on your fake watches at the end of the day.

Also knowing things is for Lefties and Communists.

In regards to storing things in plaintext, let’s be clear on what we are talking about. The hackers in question are sharing a database dump, which implies they were able to connect to the database as an authenticated user and query out all the data or else compromise a backup and do the same. This doesn’t mean that the database was unencrypted, just that the hacker had sufficient credentials that they were able to access the unencrypted data.

All that being said, it’s really poor form to keep credit card numbers in a database at all. And if one must do so, relying on the database for encryption-at-rest isn’t sufficient. The credit card numbers should have been encrypted again and the decryption key known only to the application so that even a database breach didn’t lead to leaking card numbers. These guys aren’t going to pass a PCI-DSS audit.

Agree with all of this, except perhaps the first sentence. Tons of businesses store credit cards of customers for future transactions, or even until fulfillment of the ‘current’ one. Poor form or not, entire industries rely on it.

Even people who never actually collect any money from customers, like hotel chains, where you must ‘guarantee’ your arrival with a credit card, have to keep the card number for the entire duration of the transaction; otherwise, no one can actually charge you for not showing up, and the ‘guarantee’ is a sham. There are even service providers trying to break into that bit, offering to store the card numbers on your behalf, isolating you from the risk of storing it yourself.

That’s … not really how it works.

Most companies don’t store credit card numbers, but their payment processing systems have ways to tokenize your credit card number. So when you go into Home Depot to return something and you swipe your card, the payment processor turns your credit card number into a tokenized number, and then gives the business the token to look it up.

If you store credit cards at all you must verify PCI compliance and ensure a lot of things, such as verifying not only that the credit card numbers are encrypted every step of the way, but they are encrypted at rest, your tokenization strategy is not easily reversible by a third party (e.g. relies on secrets), you have data isolation, only certain employees not only have access to the raw data, only certain employees have access to the secrets for the data (encryption keys, etc…), etc…

PCI compliance is a royal pain in the ass and almost no business wants to deal with it. So every business you mentioned works just fine without ever having to handle actual credit card numbers in their IT systems. The second the credit card processors find out you are handling credit card numbers wrong they will either determine

  1. You have some mistakes, give you some warnings and give you a specific timeline to rectify the issues
  2. Determine you are flagrantly violating their terms and cut you off from doing any CC transactions.

In some industries, it is exactly how it works.

Yes, I know exactly what PCI compliance means. I was a CIO in the travel industry.

Google ‘credit card security breach hotel industry’ and have fun. This one is from…2020.

This one is from 2018:

Exactly this. I remember having to deal with this. I was asked what our PCI compliance strategy would be. The answer was to avoid it entirely and not have anything that required PCI compliance.

We will rarelly see cases where passwords are leaked because theres very few reasons to store a pasword. You store a hash and you force the users to reset the password if he lose the old one and generate the new hash.

So really to do things like store unnecesary data and store it in plaintext, you have to avoid good practices that are already so deepy embeded in the culture that is easy to imagine amateurs hasing their own passwords for pet proyects.

Is weird, but probably you can find 9 user cases where you want things in cleartext. Is only I am a bad person and think 2 of these 9 users cases are “I want to view the password of the hot lady”.

is a matter of opinion 100%, but is weird that in 2021 anyone would build things this way, so my gut feeling is management forced the hand of the engineers to do things this way

But to claim that it’s required is totally not true. Those industries aren’t doing it because they have to, they are doing it because they want to (and potentially reduce costs by reducing payment processor fees by taking on that risk.

Evidence of companies doing stupid shit isn’t evidence that they were required to do stupid shit.

Edit: Also a lot of those companies were taking credit cards way before tokenization and our tech is where it’s been in the last decade. They’ve already bitten the bullet on PCI Compliance and using the sunk costs to keep their payment processing down. That’s the core reason why they still store credit cards somewhere.

These things are all true, and, to a certain extent, every aspect of a business model and its supporting technology is a choice. But this?

I don’t know if it is true or not. Certainly some companies don’t store them, and some companies do, but I don’t know where the break for most is, especially once you exclude all the companies that don’t trade using credit card numbers at all, for which this is a non-issue. But lots of companies do store them, still.

And tokenization is, essentially, just a mitigation strategy. We won’t store them on our servers, we’ll store them on your servers, and pay for you to be accountable for securing them. They’re still being stored.

“i dont want that binary shit in my database”

Yeah I don’t have data for “most” so I guess I should take that back. However, I’ve been part of several companies in the last decade where the CEO wanted us to be PCI compliance and we successfully pushed back, because there’s zero value in us owning and paying for that risk. I can’t think of too many companies where that risk is worth keeping CC numbers in house.

I was part of a huge effort at a large retailer to silo off all the PCI code into its own services away from the business logic, as a way to reduce the footprint of what was subject to audit. But yeah, if you’re not that size I can’t imagine it being worth it.