After discovering that OkHello video chat service’s database was still leaking – nine days after Chris Vickery and I first notified them and tried to get them to secure it – I sent two more emails to OkHello last night to repeat the notification. Both were to email addresses that were only found last night (and great thanks to Steve Ragan for finding one of them!).
Lo and behold, this morning, OkHello now appears to have closed the leak.
They still have a lot of explaining to do…. and I do hope they respond to my email. So far, they haven’t even acknowledged any of them.
To say that I was royally ticked off by last night would be an understatement. I even openly cc:d the FTC on one email and invited them to investigate OkHello’s inadequate incident response.
We’ll see…. stay tuned. OkHello needs to investigate and disclose how many IP addresses may have accessed their leaking database and for how long the database was leaking. And they need to announce whether they will be notifying the 2.6+M users who had data in their database (including videos and personal messages) of the leak.
Update Dec. 16: I received an email from OkHello, thanking me and saying,
We are definitely taking this matter seriously and are in the process of both reviewing the information you provided and also investigating the matter further.
The site’s home page is currently offline.
Update Dec. 20: OkHello’s site is still offline and I’ve not received any answers to the questions I posed, so I don’t know if they’re notifying users. They may still be investigating.