Reputation.com is Disreputable

1. So apparently Reputation.com was breached today. I received an email last night that reeks of bullshit.
2. ~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~
3. ##
4. # My comments like this
5. ##
6. April 30, 2013
7.  
8. Dear [redacted]
9.  
10. We are reaching out to let you know that Reputation.com recently identified, interrupted and swiftly shut down an external attack on our secure network.  Our network security personnel detected this breach shortly after it began, and took immediate steps to stop the attack before it could be completed.
11. ##
12. # Then nothing of value should have been lost. Which means this email would have amounted to bragging about how l33t
13. # their network security staff is. Yawn. But wait, there's more!
14. ##
15. At Reputation.com, transparency and openness are part of our culture.  That’s why, although the extent of the breach and the limited kind of information accessed during this attack did not legally obligate us to provide notice to our users, we nevertheless felt it was important to let you know that this event occurred.  
16. ##
17. # Wait, information was accessed? I thought you stopped the attack before it could be completed. Sounds like
18. # /something/ was completed after all.
19. ##
20. It appears that of all the locations in the world where our affected users reside, only the jurisdiction of North Dakota requires us to disclose information about this incident to its residents.  However, out of an abundance of caution and due to our strong interest in transparency, we are notifying affected users, regardless of location.
21. ##
22. # Blah blah. To hell what the law says. Are we fucked?
23. ##
24. Following the attack, our engineering and security team immediately conducted an exhaustive investigation,
25. ##
26. # Trying to sound professional...
27. ## working closely with independent security experts to determine what information may have been accessed.  We are also implementing additional security measures, beyond the high level of security that is already in place, to ensure your continued protection.
28. ##
29. # If a high level of security was already in place, how did you get breached? Something's fishy...
30. ##
31. To give you some assurance, we want to be clear what was NOT accessed:
32. ##
33. # Here's where the attackers probably employed counter-forensic technique and actually pilfered:
34. ##
35.     Financial information, such as credit card numbers or bank account information – which we do not store on our systems
36.     Social Security Numbers and drivers license numbers, which we do not ask for or require our users to provide (so you likely did not volunteer this information)
37.     Your account details, including why you retained our services
38.     Communication between you and our team
39.     Any details about the services we provided to you
40. ##
41. # </incompetence>
42. ##
43. The personal information that was accessed included:
44. ##
45. # Doxbin, I blame you.
46. ##
47.     Names
48.     Email and physical addresses
49.     In some instances, phone numbers, dates of birth, and occupational information
50.  
51. Additionally, a list of highly encrypted (“salted” and “hashed”) user passwords for a small minority of our users was accessed.  Although it was highly unlikely that these passwords could ever be decrypted, we immediately changed the password of every user to prevent any possible unauthorized account access.
52. ##
53. # Why did you make this a separate paragraph? Shouldn't it read like this?
54. # The personal information that was accessed included:
55. #    Names
56. #    Email and physical addresses
57. #    In some instances, phone numbers, dates of birth, and occupational information
58. #    Hashed & salted passwords
59. # Why the deception, Reputation.com?
60. #
61. # And then there's "highly encrypted (“salted” and “hashed”) user passwords".
62. # combined with
63. # "Although it was highly unlikely that these passwords could ever be decrypted"
64. # You fail at cryptology. The salt is stored with the hash. It doesn't add any strength to the individual hash's
65. # resistance to brute-force attacking, it only strengthens hashes from being attacked by pre-built rainbow tables.
66. #
67. # Even if you used bcrypt with a cost of 16 and 128-bit /dev/random salts, all an attacker has to do is iterate the
68. # 10,000 most common passwords and they'll hit 98% of internet users. God forbid you use hashcat.
69. #
70. # If you have a first name, last name, email address, physical address, phone numbers, dates of births,
71. # and occupational information, and a password they use to go along with it, you can 0wn these people. Changing
72. # their passwords on YOUR website doesn't save them from using the same password elsewhere.
73. ##
74. Based on the type of information accessed, we do not believe it’s likely that you will experience any future issues as a result of this incident.  However, out of an abundance of caution, we are offering free credit monitoring for a year to those affected clients who request it within the next 30 days.
75. ##
76. # That won't save them. Quit downplaying this, it's a disaster.
77. ##
78. Security and your privacy remain our absolute first priority.  Please do not reply to this email.  We have established a confidential assistance line; if you have additional questions, or to receive instructions on how to register for the one (1) free year of credit monitoring, professionals will be at your disposal, Monday through Friday, 8:00 a.m. E.S.T. to 8:00 p.m. E.S.T., at (866) 597-8199.  For identification purposes, please provide reference number [redacted] when calling.
79. ##
80. # Credit monitoring from a company that got breached and tried to downplay it? I'll pass.
81. ##
82. Thank you.
83.  
84. The Reputation.com Team
85. ~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~8<~
86. Reputation, your reputation is sunk with me. Not because you got breached, but because you lied about it.