from the high-five dept
It's not uncommon to see threats towards the press occur when someone has been embarrassed. Whether it's an idiotic presidential campaign mad over a rape allegation or an attorney general pissed off at reporters who are attempting to, you know, report, these things happen. Perhaps even more common are threats against the press when they report on security exploits, such as when Sony demanded the end of the publication of documents the press got after one of the many, many times Sony has been hacked.
But I've never seen a company threaten to infect a member of the press with HIV before. This strange tale starts with an app called Hzone, which is a dating application for singles that are HIV positive. And, hey, why not? The HIV-infected need love, too. But running a site like that would seem to come with a particularly dire need for security, which should not result in the user database for the app being publicly exposed to the internet, as it was a few weeks ago.
Today's story is strange, but true. It's brought to you by DataBreaches.net and security researcher Chris Vickery. Vickery discovered that the Hzone application was leaking user data, and properly disclosed the security issue to the company. However, those initial disclosures were met with silence, so Vickery enlisted the help of DataBreaches.net.So, as too often seems to happen with these cases, a researcher found a security flaw and brought it to the company's attention, only to be completely ignored. Then the researcher goes to a press outlet, DataBreaches.net in this case. Even as Vickery continued to let the company know about the leak, the database remained exposed. And this is a database, I feel compelled to remind you, filled with the personal information of HIV infected persons. The issue wasn't fixed until mid-December, some three weeks or more since the issue was initially reported. At about that same time, DataBreaches informed Hzone that it would be reporting on the leak.
And that's when this tale takes a strange and disgusting turn.
Finally, when DataBreaches.net informed Hzone that the details of the security issues would be written about, the company responded by threatening the website's admin (Dissent) with infection.Ah, the old "We'll just infect you and your family with HIV, haha!" tactic to silence reporters. This is a company that, again, caters directly to the community of the HIV infected, exposed that community's personal information, and then used HIV infection as a cheap threat on a reporter simply for reporting on the leak. Why would anyone want anything to do with these people any longer? And, while barely apologizing, Hzone appears to be more interested in doing CYA than true security.
"Why do you want to do this? What's your purpose? We are just a business for HIV people. If you want money from us, I believe you will be disappointed. And, I believe your illegal and stupid behavior will be notified by our HIV users and you and your concerns will be revenged by all of us. I suppose you and your family members don't want to get HIV from us? If you do, go ahead."
Hzone later apologized for the threat, but it still took them some time to fix their flawed database. The company accused DataBreaches.net and Vickery of altering data, which led to speculation that the company didn't fully understand how to secure user information. An example of this is one email where the company states that only a single IP address accessed the exposed information, which is false considering Vickery used multiple computers and IP addresses.On top of that, Hzone responded to a question by DataBreaches as to whether or not the company bothered to inform its users that their personal information had been compromised.
"No, we didn't notify them. If you will not publish them out, nobody else would do that, right? And I believe you will not publish them out, right?"Oops.