
Youtube
There has been a security breach that exposed some information about WWE fans, with upwards of 3 million users having their names exposed to whoever had access to the web address. The details of the leak are filled with technical jargon that can be a bit difficult to parse, but it’s obviously a very bad thing that this information has gotten out there.
The leak was first reported in a new article from Thomas Fox-Brewster of Forbes:
Earlier this week, Bob Dyachenko, from security firm Kromtech, told Forbes he’d uncovered a huge, unprotected WWE database containing information on more than 3 million users, noting it was open to anyone who knew the web address to search. Looking at samples of the leaked information provided by Dyachenko, all data was stored in plain text.
The data – which also included home and email addresses, birthdates, as well as customers’ children’s age ranges and genders where supplied – was sitting on an Amazon Web Services S3 server without username or password protection, Dyachenko said. It’s likely the database was misconfigured by WWE or an IT partner as in other recent leaks on Amazon-hosted infrastructure. WWE said it was investigating.
Yeah, the obvious way to end a story about personal information being left open to people who can easily exploit it for criminal gain because WWE’s data handlers plain didn’t encrypt or protect it is with a stupid meaningless joke. Day one at journalism school.
Thanks for your much needed contribution, Signor. I almost walked away from this article thinking that this breach is no big deal and that I could go back to honking my dick for the rest of the day.
Think of the lives that would have been saved had only this story been closed with some strong finger wagging. Had only the scorn been strong enough space and time would have reshaped and people’s birthdays would never have been released into the world.
TO provide a bit of a technical breakdown.
What they are saying happened was that WWE was storing information related to customer demographics on outside servers, in this case Amazons Web Services. This means the server was off site and could be accessed remotely. What this meant was that the data needed to be password locked and encrypted, which simply didn’t happen. That is….. super weird. And I can’t understand how you let that happen.
It is weirder that they were collecting ethnic data and children’s ages. I mean, I know why they do it (I am a data analyst by trade and education) but it is still kinda iffy.
This comment explained more to my tech un-savvy brain than the article did.
And so begins the revenge of Solomon Crowe.
+1 It’s a work
So Amazon doesn’t encrypt the data on its servers as a matter of course?
It’s important to remember the distinction here is that they are talking about an Amazon Web Services server. That isn’t where Amazon (the online store) keeps their data, it is a web service they provide to provide remote servers to companies and outside parties to store data. It is SUPER expensive to actually buy and operate a server, especially one for massive amounts of data.
The servers are rented by these third parties to set up as they please. They don’t necessarily encrypt and password lock the servers because in some cases, people are just looking to host and store large quantities of data for people to use that is actually public info. It is up to the company or people loaning the server to actually encrypt the server.
That’s why I am mildly stunned by this, although it is sadly kinda common. It should have been the very first thing that was done, but often times the IT people running the server simply forget. This is the same thing that caused the hub bub last year about the GOP “leaking” 198 million peoples information from voter rolls, as the article mentions. Can’t imagine how this wasn’t caught sooner.