This editorial was originally published on 23 Mar 2017. It is being re-run today as Steve is on holiday.
I use TrueDelta to report my car status every month. It's a nice service, allowing car owners to see what experiences others have, and think about which models and years might be a good fit for me. I've tracked multiple cars with their service for the last 3-4 years, with reminders from them every quarter to update any repairs I've made.
Recently I got an email from them with this opening: " We hoped never to have to send this email. A few days ago we learned that TrueDelta has joined the increasingly long list of organizations whose server security has been breached by hackers." The email went on to note that names and passwords to taken, and that everyone needed to perform a password reset. I applaud them for including "Security breached" in the subject as well as immediately changing everyone's passwords so old ones wouldn't work.
I've been hacked at SQLServerCentral, though to our knowledge no data was stolen, merely vandalized. We haven't ever been able to track suspected data breaches back to SSC, and I hope we never do, but I'm not naive to think that we never will. I hope we don't, but hackers make determined efforts to gain access to data. At least we are aware of security measures, have a small staff with administrative access, and try to not allow any simple attack vectors.
Not every company does a great job at securing their data, especially from phishing attacks. There's a spectrum of how carefully data is protected by organizations, and as we've seen from haveibeenpwned.com and plenty of media reports, more and more companies lose data all the time. Some of those companies notify customers (some have to), and I would guess more than a few people have had to send out emails they never expected to send. More of us will dsend those emails in the future, and we should think about that today. Is there something we can do to avoid having to send those notifications?
There probably isn't something to ensure it never happens, but we can certainly work towards improving our security. As developers, we shouldn't have short limits or character choices for passwords. If you wonder why, there's a great answer at security.stackexchange. We shouldn't be writing our own authentication schemes, but incorporating code that's been written, vetted, and reviewed. And make sure we apply patches. Most of the security holes in software are known and patched, but without being deployed. Certainly if new patches become available, we should be able to incorporate them quickly. Above all, learn what SQL Injection is and don't allow unvetted user input in queries, including those in hidden form fields.