.png)
From lost keys to dead batteries, UK car insurance giant the AA says it’s “here for everyone”. Except, that is, when it stalls its servers with a self-inflicted distributed denial of service (DDoS) attack.
As The Register reports, on Monday, the AA accidentally sent out a “password update” email to customers.
You can imagine the response: password update? What password update? Do I have to update my password?
Concerned motorists want to know! So they all floored it over to the site to change their passwords.
…creating a traffic jam, overwhelming the AA’s servers and running them clear off the road. The Register said that Brits were “furious” when they couldn’t access their profiles, fearing that their accounts had been hijacked, with hackers having gone in and changed their passwords.
The AA didn’t help matters much with its first Twitter communique, which sounded for all the world like a massive phishing attack was under way:
We’re aware an email has been sent to members re password change. Please don’t ring the number in the email. We’re looking into this urgently
— The AA (@TheAA_UK) June 26 2017
No, nobody changed anybody’s passwords. That email wasn’t supposed to go out, the business said next:
The email was sent by us, but in error. Your password hasn’t been changed, and your data remains secure. Sorry for any confusion.
— The AA (@TheAA_UK) June 26 2017
Customers were flummoxed. The site was turning them away, yet the business said it didn’t change passwords – so what’s the deal?
Please read your own thread, you have told people their passwords have not been changed yet they have!
— Mark Phillips (@dreamengineer) June 26 2017
No, really, nobody changed your password, the AA said. Just give us a minute, we’re working on this!
We can assure you no passwords were changed, if you’re unable to log in, please don’t worry. We’re working to resolve this.
— The AA (@TheAA_Help) June 26 2017
…And while we’re at it, one commenter said, what’s going on with that database leak?!
Did you notify your users when you were told of DB leak? If not, why not?
— Sam Silvester (@SilvesterSJ) June 26 2017
That was likely in reference to a tweet, also on Monday, about 13GB of exposed database backups. The tweet came from Troy Hunt, security researcher and exposed-database wrangler extraordinaire:
A follower just advised they recently notified @TheAA_UK about 13GB of exposed DB backups. It’s not clear if they ever notified customers. http://pic.twitter.com/gOGYJSfVep
— Troy Hunt (@troyhunt) June 26 2017
So OK, a randomly sent, DDoS-spawning, not-a-phishing-attack email, followed by news about an exposed customer database that AA didn’t inform customers about?
No, no, no, the much-explaining AA said, that exposed database was trivial, nothing to worry about, and has been taken care of!
This incident was related to the AA shop & retailers’ orders rather than sensitive info. It was rectified and taken seriously.
— The AA (@TheAA_Help) June 26 2017
So…. just a stray email? Not a phishing attack? Sent by who, exactly? The Register suggested maybe an inexperienced staffer pressing the wrong button or something like that, rather than hostile hacker action… maybe?!
Well, it wouldn’t be surprising, if it were in fact a rookie mistake. And honestly, if it were the fault of a fat-fingered newbie, it wasn’t all that bad, as mistakes go.
True, there were frustrated customers galore, judging by the Twitter sputtering. But hey, any day that doesn’t end in blowing up a company’s live production database, getting fired, and then facing legal action after only one measly day on the job – and yes that’s a true story! – well, comparatively, this one is small potatoes!
from Naked Security http://ift.tt/2spEOpa
0 comments:
Post a Comment