[stouset]

Yeah. "No cases of fraud or loss due to screen-scraping" doesn't mean your service isn't going to be the one that leaks a treasure trove of banking credentials.

It's also highly probable that it has happened, it just wasn't attributed properly.

[chirau]

Why do you assume everything has already happened? Do you also assume Gmail passwords have already been hacked? Just asking.

[stouset]

Why do you say I think "everything" has already happened?

I think it's likely one of these screen-scraping sites that store bank passwords has been breached, and any losses as a result have simply not been attributed to it.

I say this having experience in infosec and seeing how comically little companies who should care about security actually do. Often there's not even a single person with infosec experience. And they make every mistake you'd passively learn not to by casually reading HN comments.

That's not to say some companies don't get it right. Some (including my current employer) do an extraordinary job. But even teams with solid infosec staff get broken in to. The odds that a site storing large numbers of bank passwords with only a handful of engineers not getting popped sooner rather than later is slim.

[lazyasciiart]

Define 'hacked'. http://money.cnn.com/2014/09/10/technology/security/gmail-ha...