The top 5 privacy failures - what's the most epic fail of all? [POLL]

Filed Under: Adobe, Cryptography, Data loss, Facebook, Featured, Google, Privacy

Pass/Fail. Image courtesy of ShutterstockLast year was a record-breaking year for data breaches, with more than 800 million records lost.

And 2014 doesn't look like it's going to turn out any better (hello, eBay).

In our increasingly data-driven world - when our very identities are mined, packaged and sold; and our every move is tracked, logged and stored (hello, NSA) - online privacy has taken a major hit.

The list of culprits in our eroding privacy is long, but some fails stand out in their epicness, if you will.

So we're calling out five privacy killers that deserve an extra level of shaming.

We want your opinion, too - take our poll at the end of the article so we can crown the biggest privacy fail of them all.

1. Snapchat's "disappearing" selfies

SnapchatThe Snapchat messaging app gained a lot of popularity with a clever marketing pitch that turned out to be a big fat lie - that your photos and videos would "disappear forever."

As it turns out, those selfies you thought would vanish after a few seconds were anything but fleeting, as Snapchat was forced to admit after the US Federal Trade Commission slapped the company with sanctions for misleading users.

You see, all your messages, photos and videos stayed right on your phone, and on Snapchat's servers for an undefined amount of time.

Plus, warning or no warning, recipients of your messages could easily preserve them - forever - by taking a screenshot.

When the US Senate requested Snapchat representatives to appear before a hearing on data breaches, after the company spilled millions of usernames and phone numbers it failed to secure, they didn't show up.

When called to account for its privacy fails, Snapchat turned into a ghost.

2. Adobe's mega-breach and password blunders

AdobeIt's hard to describe in such a short space the epic string of failures Adobe committed with it's record-shattering data breach in October 2013.

Not only were Adobe's systems insecure, allowing hackers to steal 150 million customer records, but users' passwords were stored in a way that made cracking them far easier than it should have been.

Here's the rundown of Adobe's failures from Naked Security writer and crypto-expert Paul Ducklin:

  • Passwords were encrypted instead of hashed
  • Only one decryption key was used for all passwords
  • A block cipher was used, which revealed passwords' lengths
  • Password hints were stored in clear text, with the passwords
  • Nonces weren't used so passwords still matched after encryption

So hackers could lump together batches of passwords that matched and guess all of them from the most revealing password hint in the batch.

They could also guess at passwords based on their distribution. If you know that 123456 is likely to be the most commonly used password then whichever encrypted password occurs most frequently is probably the encrypted form of 123456 and so on.

Oh dear.

3. The Talking Angela freak-out

Talking AngelaThis one would be funny if it wasn't so ... hysterical.

When a hoax appeared on Facebook in February claiming that the children’s app Talking Angela was actually spying on kids, many people didn't investigate the wild claims for themselves, but shared it far and wide.

The app - which features an interactive Parisian cat that talks to you - is completely harmless.

But the rumor spread like wildfire, including the far-fetched notion that a man is hiding in a room in the cat's eyes! Who takes pictures! Of your children!

Millions of people were conned by a scam about a privacy hole that didn't exist, spreading the misinformation and duping others.

Some even offered the 'advice' that if you still want to let your kids play this game - despite their conviction that it's spying on them - you should just cover up your phone's camera with your finger.

Here's an actual Facebook comment from someone spreading this ridiculous tale (the ALL CAPS are from the original post).

DO NOT DOWNLOAD THIS APP I AM WARNING YOU DO NOT DOWNLOAD THIS APP. IT IS TOTALY DANGEROUS AND DONT LISTEN TO WHAT THE MAKERS OF THE APP TELL YOU... IF U ZOOM IN HER EYES U WILL SEE A ROOM WITH A GUY IN IT, AND IT TAKES RANDOM PICTURES.... IF U WISH TO DOWNLOAD MAKE SURE U COVER UR CAMERA WITH UR FINGERS

Do you really want to take security advice from someone who can't locate the caps lock key?

This hoax wasn't even original - the same Talking Angela furor had spread almost exactly one year before.

That's an epic fail.

4. Google Glass wearer proves "Glassholes" do exist

No GlassGoogle Glass hasn't hit the mainstream yet - and this kind of camera-equipped, face-wearable device may never take off if people's reactions to it are any indication.

With Glass's whiff of elite privilege and its ability to record everything the wearer is looking at (potentially without you knowing), some people have taken to calling Glass-wearers "Glassholes."

Maybe that's an unfair stereotype, but a few rude individuals have cemented the perception of Glassholes into a reality.

Our nominee for an epic privacy fail is Glass "Explorer" Sarah Slocum, who continued to record patrons of a San Francisco bar who made it clear as *ahem* glass that they didn't care for it.

After the confrontation, Slocum compounded the privacy fail by sharing her recording with a local TV station.

5. Target's point-of-sale malware fiasco

Target. Image courtesy of Shutterstock.If you're looking for a fail of epic proportions, it's hard to miss the Target data disaster, which affected millions of customers whose credit and debit card numbers were stolen by hackers just before Christmas last year.

Target missed badly with this list of failures:

  • The sophisticated cybercriminal gang that carried out the attack used credentials stolen from a Target contractor to gain access to a supposedly secure network.
  • Target execs were advised months before the breach to carry out a security review that might have caught the holes the hackers exploited.
  • Target sent a breach notification letter to customers that didn't clearly identify what data was stolen and included some really bad security advice.

To be fair to Target, a credit card breach of this sort, which used malware on its point-of-sale machines to steal unencrypted card numbers, wouldn't be possible if US banks and retailers had adopted more secure chip-and-PIN cards, rather than insecure magnetic swipe cards.

There's a lot of fail to go around.

Take our poll

Now it's your turn - which of these epic fails is the biggest? Who is the worst offender in our loss of privacy and security? Who deserves the crown of shame?

Take our poll, and sound off in the comments, to tell us what you think.

And because this is by no means a definitive list, you can nominate your own choice for most epic privacy fail.


Image of pass/fail switch courtesy of Shutterstock.

, , , , ,

You might like

10 Responses to The top 5 privacy failures - what's the most epic fail of all? [POLL]

  1. Andrew Ludgate · 72 days ago

    I voted for Adobe instead of Target, as the Adobe password list has been used in many brute force attacks since then; it's the data breach that keeps on giving. Target, on the other hand, was detrimental to the company, but appears to have actually sparked a tightening of security in general, and protection measures did a good job of kicking in to aid those who were affected by the breach.

    If "epic fail" meant the number of systemic failures required for the breach though, I'd probably give that to Target. In fact, each item on this list is its own special type of "epic fail". I think the Adobe one has the most potential negative impact though.

  2. Reader · 72 days ago

    I want 2FA (2 factor authentication) on every site that requires me to log on with a username (or email address) and a password. Is that really asking for too much? Harrumph!

  3. David Pottage · 71 days ago

    I voted for Snapchat, because it was entirely self inflicted. The others involved hackers or other third parties, but in Snapchat's case, they, and only they failed to implement any security features in their App.

    On the other hand, considering how much they got brought for, they probably had the last laugh.

  4. Ismael Feller · 71 days ago

    Why is it always 'hello, NSA' if the surveillance topic comes up? I mean, 'hello, Google' and 'hello, Facebook' would also be totally adequate. And they are actually worse than the NSA, they try to directly influence your behaviour by selling your data and targeting you with very personalized ads. They have a direct impact on your live and your decisions, also on what you see when you open your browser or your search queries. Why is everyone afraid about more or less lawful government surveillance when in fact everybody is surveilled 24/7 and targeted and 'mind controlled' by advertizing companies that make a living from uncontrolled surveillance and selling of captured data?

  5. Unless there really was a guy in a room taking pictures, I don't understand why Talking Angela is an epic privacy failure.

    Can someone explain?

    • Paul Ducklin · 70 days ago

      In the "Talking Angela" case, the privacy fail is by the very many people who have credulously wasted huge amounts of effort decrying a privacy onslaught that is imaginary, and sucked others into their own whirlpool of uncritical thought.

      "All that it takes for evil to flourish is for good people to stand by arguing about nonexistent threats."

      • Thanks, I now understand why you included Angela as a privacy fail, however, I still have that "one of these things is not like the others" feeling about it.

        But that's not a problem, I just won't vote for it!

        • There was some behind the scenes discussion about this and I lobbied John pretty hard to include Talking Angela in this list.

          I think Talking Angela is a colossal privacy 'false positive'. Unlike the other scenarios the organisation who make the software didn't fail us, we failed them.

  6. Randy · 71 days ago

    The epic fail for me is the public in general. Most people seem to be brainwashed into thinking it's cool to have the latest electronic monitoring tether (disquised as a smartphone) recording their GPS location, conversations, metadata, friends and aquaintances, etc. 24/7 for the government.
    Instead of reacting in horror, they actually purchase these trackers themselves, pay a monthly fee to keep them activated and even buy cute little cases for them.
    It's simply amazing what the advertising industry and the government can do when they team up to keep their eyes on us and influence our behavior.

  7. Laurence Marks · 71 days ago

    I voted for Adobe because their failure was a result of degreed professional architects, designers, and programmers not bothering to do their jobs properly. (Makes one wonder whether all their staff is so unmotivated.)

    The security folks at Target are quite blameworthy for reportedly ignoring a host of warnings and alerts but this staff may not have had as rigorous an education.

    Larry M

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Zorabedian is a blogger, copywriter and editor at Sophos. He has a background in journalism, writing about technology, business, politics and culture. He lives and works in the Boston area.