A blind collapse, an anonymous workplace platform that was labeled as a way for employees to flag incorrect behavior, temporarily exposed sensitive user data, TechCrunch reported Thursday. While the company said that it deleted the data stored on one of the servers after notification of the issue, the lapse may have left exposed users' personal information, including corporate email addresses, for several weeks.
The company told Gizmodo that it estimates About 1
Blind data was first discovered by a security researcher named Mossab H, according to TechCrunch. The researcher has reported shared access to the data with reporter Zack Whittaker, who again reported Blind this Wednesday. The company then said that it immediately deleted the data.
The percentage of Blind users affected by the event was calculated, according to the company, based on the number of users who had logged in or created profiles between 1st and December. 19. A spokesman would not reveal the company's total number of users and told Gizmodo that it was privileged information.
The company said by email and during a phone call that the exposed data had been transferred to a test environment related to improving a debugger. Under "normal" circumstances, it said that any test data would have been "immediately deleted or encrypted" after such transmission. With regard to the stored passwords, the company said that the actual service was dependent on newer and more secure algorithms.
Kyum Kim, Head of American Teamblind Operation, told Gizmodo that the temporary logs were not representative of how the company stores data "Or our database."
"It was our fault to decide to save them for any purpose, and do not take enough care to protect them. We deleted all the data immediately after we found out," Kim said. "Our policy has always been to Make sure that although we can not identify users, and for over 90 percent of users who have not been affected, they remain the same and their email has never existed anywhere in our database. And it is true that we can not identify anyone even with full access to our servers. "
By learning the problem, Blind began to inform its affected users via push notifications.
The company still considers logs to see who-If any unauthorized over Whittaker and his source have access to the data, Kim said. At the time of According to Whittaker, the data was exposed due to an unsecured dashboard tool used by businesses to visualize internal documents and data. While email addresses were stored in plain text, the passwords were supposedly stored at using the outdated hash function MD5, a password coding algorithm that is considered uncertain for decades. Whittaker confirmed Gizmodo that he successfully unscrambled multiple passwords using a tool on the Crackstation site.
"The data that were exposed does not represent how we store data or our database, "said Kim Gizmodo." We do not save regular text emails on our database. And we do not use MD5 encryption for data stored in our database. "
The company added that the digital tokens allegedly discovered in the data were linked to a third party security solution, and told Gizmodo that it was" 100 percent sure that they did not have any login or access to the accounts, and hence no access features. "