This is it! #pancakesCon 2023 virtual conference is THIS SUNDAY! Some final helpful notes can be found here: https://pancakescon.com/2023/03/11/final-2023-pre-con-reminders/

We are super excited to share what we have built with you. #cyberSecurity #infosec

Notified Experian on Dec. 23 that their site was allowing anyone to see the credit report for, well, basically anyone, completely bypassing their lame 4-5 multiple guess questions and other security.

Or even in cases (like mine) where trying to get your credit report generates an error saying you have 3 other options for getting your free report from them (calling, mailing, or chat w/ rep). The site said Experian didn't have enough info to validate my identity, but when I changed the url slightly, it showed me my entire report. Glad I checked, too, because the info in there is so completely wrong I don't even know where to start.

So it's Dec. 27, and I still haven't heard anything from Experian. All you needed was the person's name, address, SSN and DOB. This info has been exposed on pretty much most Americans for many years now.

BTW, I checked this with several friends who volunteered to check their own reports, and they were able to fully replicate what I did.

It's bad enough that we can't stop companies like Experian from making $2B a quarter collecting and selling our info, but there has to be some real accountability. And as we saw with the Equifax settlement, class-actions and more laughable "credit monitoring" services aren't going to cut it.

Experian has shown this year especially that it gives exactly zero fscks about securing access to the data that drives its entire business.

https://krebsonsecurity.com/2022/08/class-action-targets-experian-over-account-security/

https://krebsonsecurity.com/2022/07/experian-you-have-some-explaining-to-do/

https://krebsonsecurity.com/2021/04/experian-api-exposed-credit-scores-of-most-americans/

I'm seeing a lot of hot takes on #LastPass, from people in #infosec coming to the conclusion that LastPass transparently disclosing breaches, or near breaches, or any incidents, is a sign of something terrible.

I think those people have not been at this long.

All companies eventually get hacked. All companies eventually will be breached, and it's not if; it's when.

And if you are a company storing millions of passwords, you better believe you are being attacked constantly.

Given that world, I want a company that:

• is transparent and lets their users know immediately when something is up and gives as many details as they can.
• can actually detect incidents and has a solid process to follow in dealing with them and communicating about them

If you think a company that never says, "hey, we had an incident," is more secure. .. oh boy.

It merely means they either a) can't detect incidents or b) are hiding them from you

If you are using a password manager that is silent about breaches, near misses, incidents, etc., That should be cause for concern.