Troy Hunt writes:
It’s a bit hard to even know where to begin with this one, perhaps at the start and then I’ll try and piece all the bits together as best I can.
As you may already know if you’re familiar with this blog, I run the service Have I been pwned? (HIBP) which allows people to discover where their personal data has been compromised on the web. When a breach hits the public airwaves, I load in the email addresses and those who subscribe to the service (it’s free) get notified of their exposure plus they can search for themselves on the site. The intent is always to tread very carefully and responsibly when it comes to handling this data, for example, how I handled the Ashley Madison breach. The contents of these breaches has potential to do harm to both the organisation which lost the data and the individuals within there so I give great thought to what the responsible approach is in each case.
Every now and then, I get someone contacting me like this:
Hey, approximately 5 months ago, a certain hacker hacked into 000webhost and dumped a 13 million database consisted of name, last name, email and plaintext password
Read more about what happened – and what didn’t happen – next on TroyHunt.com.
Alerting people/businesses to security breaches continues to be too damned difficult and time-consuming. Kudos to Troy for his efforts to protect consumers, and shame on every company that doesn’t have an easy and reliable way to contact them via email or online to report a security breach.
We shouldn’t have to jump through hoops to help you.
Short of copying the email list to a text file, then using a spam sort mailer and firing off a warning message to all, its a load of work that honestly will receive hardly any praise. With the limited amount of people caring about security, they might as well delete the message of good will and think its another phishing attempt.
I am sure the good efforts of people can probably corral a grant from the US government to align this effort with the latest “play nice during breaches act” , But that’s like Mr. Wimpy picking up a bat and whacking a 700 foot homer against Satchel Paige in his prime. =\
Yeah, I always copy/paste a snippet of the leaked database into the email body so they can investigate and see I’m not phishing them, etc. That is, they can see if they open the damned mail and send it up the chain.