alt Hacker News1k Data Breaches Later, the Disclosure Lag Is Worse
Comments
I found I had exactly that issue ~3 months ago. A particular government department had their systems hacked and 1 of my email addresses became public along with 10s of thousands of other users. That in itself was bad enough except that this particular department had known about the breach about 2 months earlier and to make matters worse they had not been aware that the breach had occurred back in June 2025.
<We need to establish measures of accountability for data holders. Not securing customer data appropriately needs to be prosecutable, and the affected parties need to be given a right for compensation>
I 100% agree with you here. The trouble is, the government which are often the ones to push for major court-issued penalties when corporations stuff up, don't want to be held to the same level of scrutiny and penalty. Go figure
These days I treat other people's data like it's a live hand grenade. Case in point (bit of a shameless plug here :) I'm working on an App called Hockeytastic. It's an ice-hockey stickhandling app that my son's been using for months: the engine is solid but it looked like shit. However, his coach told me to get it on the app stores and sell subs. That meant I needed to clean it up, build a DB, store stuff etc.
Anyway, working with Google and Apple I realised that I quite literally do not need to store anything identifiable. The only identifier I store is the Apple id and the Google id and unless you steal those and then hack Google and Apple, they are utterly useless.
I do not store emails, names, addresses, nothing. That's the way I want it.
If the data is ever breached, the only thing hackers will see are many many instances of Connor McDavid, Nate Mckinnon and various other famous NHL player names :)
If more companies treated personal data like it was toxic, we'd have less issues with breaches, however, I see it in my day job where the marketing people want to take as much data as possible, all the time!
I have a custom domain for my emails with catch all. When I create an account somewhere I just use <name of the service>@my-domain.com
Can I find out if any of my emails are in leaks with a service somewhere?
Is there ANY business motivation for any corporation to open such information up sooner than later?
At this stage just expect that every accounts will get leaked or rooted, it's a matter of when, not if...
Use varying email `plus addressing` ([email protected]), varying passwords or passkey and 2FA on anything remotely important (use of your identity, not just financials).
Not to spoil the surprise but it will get much MUCH worse. Reason: sloppers. Anyone who's dealt with security and has looked into how all the slop agents work can understand how catastrophic it is from a security perspective. The "yes" button on "I trust the authors" is what unlocks the gates of hell.
>why is it still needed?
It's not needed. There are already alternatives that could take its place. Some of them are able to actually show you what data leaked instead of leaving you blind of what was actually included in the breach.
there will be more data breaches.
Google and Apple are throttling hotfix updates (for app developers) as tons of code pushes to their infra (by vibe coders) is straining their system.
The are fixing this by throttling updates to minimum 3 days review period.
so good luck fixing the vulnerability or data leaks in your apps.
[dead]
For years, I've been trying my best to stay low-key when it comes to my personal information on the internet. I don't create new accounts, I never cross-login with my email address, I don't use phones. Certainly not perfect, but a lot of times I'm preferring privacy over convenience.
At the same time, my government and society at large is pushing more and more for "digital everything". It's great when it works. But to me, every new service translates to a new opportunity for my data to be leaked.
I think one reason why we're still seeing so many breaches is that security is hard and thus expensive - and on the other hand, other than customer push-back, companies or other providers have pretty much nothing to worry about when their data gets extorted. To me, this is impossible. When I give my private data to them, I'm giving them something very valuable. If being careless with that value basically has no consequences, the incentives to care are low.
We need to establish measures of accountability for data holders. Not securing customer data appropriately needs to be persecutable, and the affected parties need to be given a right for compensation. Of course, that's not going to happen. It would be difficult to implement in practice, if at all possible. But as long as there is no monetary incentive for data holders to be as careful as possible, the laxness is going to continue.