[omarhaneef]

If we are trading war stories:

I was playing around with some tutorial to learn something (probably something cool like programming your own robotic drone using functional erlang or whatever), pushed to github and went to sleep. Woke up a few short hours later and had lots of emails about the machines I was spinning up.

Checked and saw that my account had wracked up thousands of dollars overnight (I think 6-8 hours), and I started to shut down the machines.

I didn't get them all, there were more machines hidden, and the bills continued to pile up for another hour or two.

I contacted Amazon who shut it all down, and I reset my password.

Then I realized I had pushed my credentials to github (I should really put this under a pseudonym, but I was new to the whole thing and hadn't even looked into Amazon's authentication system. Obviously, billing credentials and sysadmin credentials should never be the same.) Someone had a scraper going that picked them up almost right away.

To Amazon's credit, they cancelled the charges within a few hours, and if memory serves the person investigating gave me a sympathetic but stern message.

I don't know who the credential-stealer was and what they were using it for, but I would guess crypto mining. I did some calculation at the time and I think they would have extracted about 1/3rd the value of my bill, but those were rough calculations.

[moksly]

Credentials on github is actually a fairly common cause for GDPR breach, not as common as people using auto-complete in their e-mail system, but it’s up there.

So you’re not as alone as you think, and these aren’t from people trying to learn something, it’s from big enterprise IT organisations.

[raxxorrax]

Auto-completing e-mail adresses is a GDPR violation? Because you could iterate them and see all the contacts? Seriously?

[richthegeek]

Any exposure, intentional or accidental, of PII to a non-authorised person is a GDPR violation. An email address is PII as it's unique to that person.

Consider the Ashley Madison breach - there were websites that let you search for an email address and see if it was included. Even without the name or address of the person it was sufficient PII to cause damages (however 'deserved').

[raxxorrax]

On public websites I would agree, but all our mail clients have auto-completion. So would we need to turn that off? Would probably disable half the company.

I don't know who Ashley Madison is but that sounds far beyond sensible protection. Given, auto-completion is restricted to employees plus some locally saved contacts. It is just the standard outlook-exchange setup.

[unionpivo]

You can set up what (groups) autocomplete as a admin on both outlook and g suite (probably other providers).

Otherwise it's only people you have been in contact with.

[moksly]

No, but sending all that personal information to the wrong person is, and it’s the most common GDPR violation in my country.