Given how lax AT&T is with this sad press release. They are fully expected to pay some fine, which they will pay after exhausting years of appeals. At that point, people will have forgotten. Impacted people get a check for $5 (if they are lucky). Business as usual.
Nobody goes to jail. Some offshore team is replaced with another bottom of the barrel contractor. Maybe a low ranking executive is given a slap on the wrists, internally. AT&T cuts some internal program to make up for loss (1 year moratorium on T&E for that team)
Spot on prediction. We need to start pushing for jail for these people running (and owning) these businesses with such carelessness.
- yes. I mean all owners. Shareholders too. All it would take is once for shareholders to get slapped with prison relative to shares owned for this sh*t to stop.
> Apparently they encrypted customer passwords instead of one-way hashing [1].
Pretty incredible, I use one way hashing for my own sites and I don't even have customers, just a couple of accounts I use when I want to demo something.
Yes but if the algorithm and salt gets to be known then there are very few possibilities (10^n where n is max length of passcode) and unless people are setting 50 digit passcodes, then it is very crackable.
It's crackable by those that have the secret key i.e. AT&T and whoever they leak their key to. But presumably it's harder to steal a secret key and a database entry than it is to steal just a database entry.
The salt just obscures whether two users have the same code
While this might be a marketing tactic in such situations, in this case it's a press release, which is a format where it's common to speak about "yourself" in 3rd person. Look at their other press releases.
That's fair, it's so reporters can copy paste it. But given the seriousness here it would seem the CEO could have written something more personal. Though of course it covers their ass legally as it doesn't admit or imply guilt, even hits it's a contractor's fault, and nobody can accuse them of not "responding" any longer.
The only thing more shocking than these regular leaks, is how many banks assume that if you produce SSN and DOB of Person X then you're X! And if you're not X then that's X's problem — His identity got stolen!
The three major credit buraux all have free monitoring services anyway. They're of course filled with dark patterns; at least one of them emails me more or less anytime an account reports 'your balance has gone up' or 'your balance has gone down', which is super useless, and can't be configured. But hopefully, I'll get notified if a new account is made, and it will be easier to get it closed while it's new.
Their website is truly pathetic leaving the burden on individuals to need to protect this information. They should bleed red severely for this in punitive damages to those impacted.
Nobody goes to jail. Some offshore team is replaced with another bottom of the barrel contractor. Maybe a low ranking executive is given a slap on the wrists, internally. AT&T cuts some internal program to make up for loss (1 year moratorium on T&E for that team)