Hacker News new | ask | show | jobs
by philjackson 4481 days ago
Despite the warning to the company back in 2010, I'm not sure he should be publishing this. He's putting the 2000-odd users at risk by teaching us how to get their passwords and usernames like that, it's even worse if we can get at email addresses too. I would bet the majority of those registered reuse the passwords.
3 comments
Kequc 4481 days ago
It's a timebomb. If the company won't fix it then the problem gets worse and worse, waiting 4 years before setting it off is long enough.
link
brianpgordon 4481 days ago
I'm certain that publishing this is a bad idea, particularly since he admitted to logging in as a random user. Again and again we've seen that performing trivial actions is treated by the courts as "unauthorized access."

Weev was convicted to 3.5 years in prison for calling a public API with lots of different keys:

http://arstechnica.com/tech-policy/2013/03/auernheimer-aka-w...

In the UK, Daniel Cuthbert was convicted for typing "../../../" in his address bar:

http://www.securityfocus.com/news/11341

link
bm1362 4481 days ago
It's not particularly sensitive data being jeopardized- isn't it just movie reviews?
link
choult 4481 days ago
Given the prevalence of password reuse, exposing user passwords is never a good idea.
link
mikeash 4481 days ago
Just to drive this home a little more: a lot of your users will use the exact same e-mail address and password on your site that they use for their bank. And while they shouldn't do that, they will, and that's why you should use best practices to protect your users' credentials even if their account on your site is completely unimportant.
link
bm1362 4481 days ago
Ah, yes, I missed the "I would bet the majority of those registered reuse the passwords." from parent.
link
danielharan 4481 days ago
Besides choult's point, users can often be de-anonymized based on just a few ratings. Someone did this by cross-referencing dates in the Netflix data set and those available on one of the bigger sites.

Suddenly the fact that you were watching documentaries or movies that let you infer their political or sexual proclivities could be determined by outsiders.

link
icebraining 4481 days ago
The ratings are public anyway.
link