Mastodawn

i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with [email protected] or similar.

The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.

And yes, all of those emails contain the actual PII of the person who has been 'deleted' :-D

#infosec

Show thread

Fooker

@SecureOwl when I see posts like this I'm never sure how I feel.
One one hand, I'll never be short of jobs. Yay!

On the other hand. *Insert many expletives here* how the *expletive* do these *expletive* idiots think that that isn't the most *expletive* stupid idea on the *expletive* planet do do something so *expletively* *expletive*. And then I cry because I'm one of the people that has to fix the mess they made.

*It's late and I cat be arsed to check the spelling of my swearwords

Show thread

Sheldon Apr 17

@Fooker @SecureOwl am I the only one who's more disturbed by that they didn't simply block those domains using DNS or code something to never email one of those deleteduser domains?

Show thread

EQ Apr 20

@sysop408 If they have no way of actually deleting users other than changing their email adress, they most probably won't be able to set up any new DNS records.

This is what happens when you buy a system from some other company and don't want to pay them to update when laws change. You will have to find a way to continue using your old system.

Our old database had a field called something like "active_0_or_1" for this, 25 years ago. And it wasn't even consistent with 0 or 1 being active...