Security Gaffes and the Tweeter

February 2, 2021

The Next Web has some advice for those going online to discuss how a security breach has affected them—“Don’t Dox Yourself by Tweeting About Data Breaches.” Writer Ben Dickson noticed several NetGalley users doing just that following the breech of that site’s database backup file last month. He writes:

“The database in question included sensitive user information, including usernames and passwords, names, email addresses, mailing addresses, birthdays, company names, and Kindle email addresses. Unfortunately, many users took to social media and started discussing the incident without thinking about what they are putting up for everyone to see. And in their haste to be the first to tweet about the breach, many users made awful mistakes, which could further compromise their security.”

A couple examples include the person who announced they use the same password everywhere (!) and someone who revealed their full name by reproducing their NetGalley notification. (Her Twitter account uses a pseudonym.) To make matters worse, it appears the database stored user information unencrypted. Though NetGalley itself does not keep incredibly sensitive data like banking information, hackers have ways of twisting even the most benign information to their dastardly goals. The write-up continues:

“After the NetGalley hack, the attackers have access to a fresh list of emails and passwords. They can use this information in credential stuffing attacks, where they enter the login information obtained from a data breach on other services and possibly gain access to other, more sensitive accounts. Cross-service account hijacking is something that happens often and can even include high-profile tech executives. The attacks can also combine the data from the NetGalley breach with the billions of user account records leaked in other data breaches to create more complete profiles of their targets. So, alone, the NetGalley data breach might not look like a big deal. But … every piece of information that falls into the hands of malicious actors can become instrumental to a larger attack.”

Dickson hastens to add that people need not stop tweeting about data breeches altogether. Doing so can actually provide valuable discussion, as his closing examples illustrate. One should just be careful not to include personal details the hackers’ might add to their collection.

Cynthia Murrell, February 2, 2021


Comments are closed.

  • Archives

  • Recent Posts

  • Meta