A vulnerability in Blind, an anonymous workstation platform that is labeled as a sign of inappropriate employee behavior and temporarily exposed sensitive user data, reported TechCrunch on Thursday. While the company stated that it deleted the data stored on one of its servers after it was alerted to the problem, the user may have left the users' personal information, including e-mail addresses, for weeks at around 1
Blind's data was first discovered by a security researcher who, according to TechCrunch, is named Mossab H. The researcher reportedly shared access to the data with reporter Zack Whittaker, who announced Blind this Wednesday. The company later stated that it had deleted the data immediately.
The percentage of blind users affected by the incident was calculated, according to the company, based on the number of users who logged in or created profiles between November 1 and December 1. 19. A spokesperson would not divulge the total number of users of the company and inform Gizmodo that this is privileged information.
The company said by email and during a phone conversation that the exposed data was being transferred to a test environment related to the improvement of a troubleshooting program. Under "normal" circumstances, test data would have been "immediately deleted or encrypted" after such a transmission. Regarding the stored passwords, the company said its actual service was based on newer, more secure algorithms.
Kyum Kim, head of US operations at Teamblind, told Gizmodo that the temporary logs were not representative of the company's data storage "or our database."
"It was our mistake to assign them to keep it for any purpose and not to take enough care to protect it. We deleted all data immediately after we found out, "Kim said. "Our policy has always been to make sure that we can not identify the users. For over 90 percent of unaffected users, this email remains unchanged and their email address has never been in our database. It is true that we can not identify anyone, even if he has unrestricted access to our servers.  As Blind learned of the problem, it was reportedly started to notify the affected users via push notifications.
The company is still reviewing the logs to determine who it is – If someone who was not unauthorized via Whittaker and its source accessed the data, Kim said. At the time of writing no harmful activity had been detected.
According to Whittaker, data was available due to an insecure dashboard tool used by companies to visualize internal documents and data. While e-mail addresses were stored in plain text, the passwords were reportedly stored with the outdated hash function MD5, a password-scrambling algorithm that has been considered unsafe for decades. Whittaker confirmed to Gizmodo that he had successfully decrypted multiple passwords with a tool on the Crackstation website.
"The data that was available did not represent how we store data or our database," Kim told Gizmodo. "We do not store plain text emails in our database. And we do not use MD5 encryption for data stored in our database.
The company added that the digital tokens allegedly found in the data were linked to a third-party security solution. Gizmodo said it is "100 percent sure that they have no relation to login or access to accounts, so they are not access tokens.