Fair call. How does the saying go? There are only two types of organisation. Those that know they have been hacked and those that don’t.
Every company handling personal information should have a Data Breach Plan in place.
They also need mechanisms in place that give them a fighting chance of knowing that they have been breached.
One that knows it has been hacked:
May have infected over 1000 servers
With the understanding that “may” means just about anything, 1000 servers. Cough. The breaches are getting bigger.
A couple more data breaches.
Using Chrome browser I logged into Gumtree, upon successful login a secondary window pops up from Chrome saying I should change my password as it has been compromised. Could well be, and I may have agreed to Chrome taking my login details for their use in the fine print of an EULA, but really this seems like a real threat if the browser is sending this data to Google’s servers.
Anyone else had this occur or think it is not right?
To the best of my knowledge the process is done the other way around. The browser pulls a list of breached passwords from Google and performs the process locally for security.
Not to say I trust Google in the slightest.
Oh, ok, that is not as bad as external server doing the comparison but the fact they do something with login details that have nothing to do with them does not sit right for me.
If you use Firefox, they will check your credentials against the list maintained at haveibeenpwned.com. This website collects (but does not publish) lists of publicly accessible hacked databases of email addresses and passwords. You put in your email address, and the website tells you which of your accounts has been potentially compromised, by searching its compilation of all the hacked records. You can also subscribe to notifications of newly discovered user information that matches your email address.
In this case, Firefox and the haveibeenpwned website get your email address. That is all. You get information about where that email address has been seen online, and can take action to protect your accounts (or panic if you use the same password everywhere and the website did not adequately protect its password database).
No, I would not particularly trust Google with this information about me - except it already has a whole lot more. I do subscribe to haveibeenpwned, which as I think I have mentioned before is operated by an Australian security researcher, Troy Hunt.
Just checked it and lists Adobe and Imgur for being breached where I had an account. Interesting though I can just put in anyone’s address and see the list of sites that were breached where they have an account.
If you know their email address, sure. You won’t learn their passwords, though.
As @postulative says the list only lets you know if a particular email address had details breached. So it is not about who owns the account, their passwords or any of their more private details being released to you. Email addresses are just like a telephone directory, they aren’t really a private detail, but you can control somewhat who actually knows who owns that address. So if you find that a friend’s or associate’s address has been compromised in a breach you can always let them know which one/ones in case they don’t already know.
For a state actor, this data breach is second to the worst possible. The only thing worse than every single voter in the country is every single person in the country.
All made possible by recklessly incompetent application design.
The basic problem applies equally in Australia i.e. the Commonwealth Electoral Act gives political parties the right to a copy of the electoral database (electoral roll).
In a Facebook post, ABC Landline asks:
Slightly OT; from a comment about the attack on Talman Software:
A friend of mine’s wife has been told by ransomware threats that they have access to her password manager password.
I would want evidence (although if her password was weak she can probably assume that it’s broken). Time to change every password - starting with the password manager.
My own choice - which may not work for everyone - is never to use an online password manager.
The upside of an online password manager is synchronised, access-from-all-your-devices, access-from-anywhere, access-anytime password information.
The downside should be obvious.
This doesn’t necessarily directly relate to the ransomware threat described. If someone has compromised your computer then even if you use a password manager that is strictly local to that computer then it is at least plausible that that intruder does have your password manager password.
But in that case
time to start by restoring your last known good backup - and then change every password.
You can partly mitigate the risk of compromise of your password manager password by using multiple local password repositories (with different passwords to access) but that then starts to undermine the reason why you use a password manager in the first place.
You can alternatively partly mitigate password manager password compromise risks by using Two Factor Authentication (2FA) but I am not sure what password managers, online or local, support that.
Yes. For starters you could ask them to identify which password manager you are using. It would be easy for a scammer to spam everyone saying “we’ve got your password manager password and thereby all your passwords” but without including any specific information.
As always therefore, using a password manager that is not used by 90% of the population is a good start (providing that there is not a good reason why noone else uses that password manager 
).
Security through obscurity?
I meant: Scammer will send email to everyone claiming something about product or service X.
If you don’t use product or service X, you can dismiss the email as a scam without giving it a second thought.
If you do use product or service X, you must examine the email more closely to see whether it is legitimate - and you might get fooled.
In a sense, it is one layer of security that is achieved through obscurity. It is a “start” but it is not the be all and end all of security. There are other layers to your security.
9m here 23m there.
One more for those who have been to University.
Amazing that the institutions with some of the supposed most IT aware can be caught.
Probably Hubris being the reason
You can’t assume that they actually employ their experts in the IT department.
