[benchly]

You don't see how preventative maintenance such as implementing a policy to remove old accounts after N days could have prevented this? Preventative maintenance is part of the forethought that should take place about the best or safest way to do a thing. This is something that could be easily learned by looking an problems others have had in the past.

As a controls tech, I provide a lot of documentation and teach to our customers about how to deploy, operate and maintain a machine for best possible results with lowest risk to production or human safety. Some clients follow my instruction, some do not. Guess which ones end up getting billed most for my time after they've implemented a product we make.

Too often, we want to just do without thinking. This often causes us to overlook critical points of failure.

[ChrisMarshallNY]

For the app I maintain, we have a policy of deleting inactive accounts, after a year. We delete approved signups that have not been “consummated,” after thirty days.

Even so, we still need to keep an eye out. A couple of days ago, an old account (not quite a year), started spewing connection requests to all the app users. It had been a legit account, so I have to assume it was pwned. We deleted it quickly.

A lot of our monitoring is done manually, and carefully. We have extremely strict privacy rules, and that actually makes security monitoring a bit more difficult.

[jacquesm]

These are excellent practices.

Such data is a liability, not an asset and if you dispose of it as soon as you reasonably can that's good. If this is a communications service consider saving a hash of the ID and refusing new sign ups with that same ID because if the data gets deleted then someone could re-sign up with someone else's old account. But if you keep a copy of the hash around you can check if an account has ever existed and refuse registration if that's the case.

[ChrisMarshallNY]

It would violate our privacy policy.

It's important that "delete all my information" also deletes everything after the user logs in for the first time.

Also, I'm not sure that Apple would allow it. They insist that deletion remove all traces of the user. As far as I know, there's no legal mandate to retain anything, and the nature of our demographic, means that folks could be hurt badly by leaks.

So we retain as little information as possible -even if that makes it more difficult for us to adminster, and destroy everything, when we delete.

[jacquesm]

I think you misunderstood my comment and/or fail to properly appreciate the subtle points of what I suggest you keep.

The risk you have here is one of account re-use, and the method I'm suggesting allows you to close that hole in your armor which could in turn be used to impersonate people whose accounts have been removed at their request. This is comparable to not being able to re-use a phone number once it is returned to the pool (and these are usually re-allocated after a while because they are a scarce resource, which ordinary user ids are not).

[ChrisMarshallNY]

> I think you misunderstood my comment and/or fail to properly appreciate the subtle points of what I suggest you keep.

Nah, but I understand the error. Not a big deal.

We. Just. Plain. Don't. Keep. Any. Data. Not. Immediately. Relevant. To. The. App.

Any bad actor can easily register a throwaway, and there's no way to prevent that, without storing some seriously dangerous data, so we don't even try.

It hasn't been an issue. The incident that I mentioned, is the only one we've ever had, and I nuked it in five minutes. Even if a baddie gets in, they won't be able to do much, because we store so little data. This person would have found all those connections to be next to useless, even if I hadn't stopped them.

I'm a really cynical bastard, and I have spent my entire adult life, rubbing elbows with some of the nastiest folks on Earth. I have a fairly good handle on "thinking like a baddie."

It's very important that people who may even be somewhat inimical to our community, be allowed to register accounts. It's a way of accessing extremely important resources.

[bix6]

> I provide a lot of documentation

> Some clients follow my instruction, some do not.

So you’re telling me you design a non-foolproof system?!? Why isn’t it fully automated to prevent any potential pitfalls?