• masterspace@lemmy.ca
    link
    fedilink
    English
    arrow-up
    18
    ·
    2 months ago

    There was a previous article on this with more explanation that I’m struggling to find.

    The gist was that they do hash all passwords stored, the problem was that there was a mistake made with the internal tool they use to do that hashing which led to the passwords inadvertently going into some log system.

    • BearOfaTime@lemm.ee
      link
      fedilink
      arrow-up
      4
      arrow-down
      6
      ·
      2 months ago

      “mistake”

      I call BS. The reviews I’ve gone through for trivial stuff would’ve exposed this.

      This was intentional.

      • HiddenLayer555@lemmy.ml
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        2
        ·
        2 months ago

        Hanlon’s Razor revised: Never attribute to malice what can be attributed to incompetence, except where there is an established pattern of malice.

        • BearOfaTime@lemm.ee
          link
          fedilink
          arrow-up
          1
          ·
          1 month ago

          Then incompetence at a level that’s incomprehensible.

          A code review certainly exposed this, and some manager signed off on the risk.

          Again, changes I make are trivial in comparison, and our code/risk reviews would’ve exposed this in no time.

      • masterspace@lemmy.ca
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        2 months ago

        Yeah, cause trivial systems are a lot easier to parse and review. At a base level that’s nonsense logic.

        • BearOfaTime@lemm.ee
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          1 month ago

          My point being the extensiveness of a review process.

          The more important a system, the more people it impacts, etc, the more extensive the review process.

          Someone chose to ignore this risk. That’s intentional.

          • masterspace@lemmy.ca
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 month ago

            You quite frankly, don’t know what happened and if you’re confident it’s intentional, all that says is that you’re a grump who likes to complain.

        • BearOfaTime@lemm.ee
          link
          fedilink
          arrow-up
          1
          ·
          1 month ago

          I generally agree.

          But any decent code review process would’ve exposed this, or at least a data surveillance system that checks this stuff. I’ve received a few notifications about my logs storing inappropriate data, as a result of a scanning system.

          Some manager knew about this during a code review, and signed off on the risk because it was only in-house.