|
 |
| | | Author: | CE_Tanja  | | Posted: | Dec 17, 2022 13:56 | | Subject: | Article about a BrickLink data breach | | Viewed: | 841 times | | Topic: | Administrative | |
|
|
BrickLink
ID CardCE_Tanja
|
Location:  USA, California |
| Member Since |
Contact |
Type |
Status |
| Feb 17, 2021 |
 |
Admin |
|
|
| BrickLink Administrator |
|
| Dear BrickLink members,
A report has recently surfaced of a possible data breach on our website, BrickLink.com.
We can assure you, our members, that we have seen no evidence of any breach of
our systems and have no reason to believe that the data you entrust us with has
been compromised.
A short while ago, we were approached by a third party who offered their services
to fix several potential security loopholes they had identified. This third party
is not one of our suppliers and we did not request them to provide any analysis
or diagnosis of our systems.
When we did not engage the services of this third party, they apparently released
this “news” that a security breach could have happened on our site. Whereas it
is true that there is always a small possibility that data could be compromised
on any site, we feel this report unfairly portrays our website as unsafe.
We have invested substantially in our security system and are confident in its
ability to keep your data safe. In addition, we strictly follow the LEGO Group
standards for GDPR compliance and other legal requirements regarding the data
of our users.
Thanks for you attention, and please feel free to contact the Help Desk with
any questions you might have.
The BrickLink Team
|
|
|
| | | | | |
| | | | | Author: | macebobo | | Posted: | Dec 17, 2022 14:14 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 170 times | | Topic: | Administrative | |
|
| In Administrative, CE_Tanja writes:
| | Dear BrickLink members,
A report has recently surfaced of a possible data breach on our website, BrickLink.com.
We can assure you, our members, that we have seen no evidence of any breach of
our systems and have no reason to believe that the data you entrust us with has
been compromised.
|
Yet. It is a vulnerability as stated in the article.
| | A short while ago, we were approached by a third party who offered their services
to fix several potential security loopholes they had identified. This third party
is not one of our suppliers and we did not request them to provide any analysis
or diagnosis of our systems.
When we did not engage the services of this third party, they apparently released
this “news” that a security breach could have happened on our site. Whereas it
is true that there is always a small possibility that data could be compromised
on any site, we feel this report unfairly portrays our website as unsafe.
|
Not unsafe, just vulnerable. Does this mean you are not taking it seriously and
are going to do nothing to remediate the identified attack vectors? (Two issues,
XSS and XXE attacks.)
| | We have invested substantially in our security system and are confident in its
ability to keep your data safe. In addition, we strictly follow the LEGO Group
standards for GDPR compliance and other legal requirements regarding the data
of our users.
|
Blah, blah, blah. Nothing to see here, ignore the minifig behind the curtain.
| | Thanks for you attention, and please feel free to contact the Help Desk with
any questions you might have.
The BrickLink Team
|
Link for those who did not see it yesterday: https://www.bleepingcomputer.com/news/security/lego-bricklink-bugs-let-hackers-hijack-accounts-breach-servers/
|
|
|
| | | | | | | | | |
| | | | | | | Author: | CE_Tanja | | Posted: | Dec 17, 2022 14:16 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 149 times | | Topic: | Administrative | |
|
|
BrickLink
ID CardCE_Tanja
|
| Location: USA, California |
| Member Since |
Contact |
Type |
Status |
| Feb 17, 2021 |
|
Admin |
|
|
| BrickLink Administrator |
|
| Please rest assured that we are taking these things very seriously.
In Administrative, macebobo writes:
| | In Administrative, CE_Tanja writes:
| | Dear BrickLink members,
A report has recently surfaced of a possible data breach on our website, BrickLink.com.
We can assure you, our members, that we have seen no evidence of any breach of
our systems and have no reason to believe that the data you entrust us with has
been compromised.
|
Yet. It is a vulnerability as stated in the article.
| | A short while ago, we were approached by a third party who offered their services
to fix several potential security loopholes they had identified. This third party
is not one of our suppliers and we did not request them to provide any analysis
or diagnosis of our systems.
When we did not engage the services of this third party, they apparently released
this “news” that a security breach could have happened on our site. Whereas it
is true that there is always a small possibility that data could be compromised
on any site, we feel this report unfairly portrays our website as unsafe.
|
Not unsafe, just vulnerable. Does this mean you are not taking it seriously and
are going to do nothing to remediate the identified attack vectors? (Two issues,
XSS and XXE attacks.)
| | We have invested substantially in our security system and are confident in its
ability to keep your data safe. In addition, we strictly follow the LEGO Group
standards for GDPR compliance and other legal requirements regarding the data
of our users.
|
Blah, blah, blah. Nothing to see here, ignore the minifig behind the curtain.
| | Thanks for you attention, and please feel free to contact the Help Desk with
any questions you might have.
The BrickLink Team
|
Link for those who did not see it yesterday: https://www.bleepingcomputer.com/news/security/lego-bricklink-bugs-let-hackers-hijack-accounts-breach-servers/
|
|
|
|
| | | | | | | | | | | | | |
| | | | | | | | | Author: | macebobo | | Posted: | Dec 17, 2022 14:47 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 111 times | | Topic: | Administrative | |
|
| In Administrative, CE_Tanja writes:
| | Please rest assured that we are taking these things very seriously.
|
That was not my take away from your initial post. It felt to me like "No big
deal, these bozos are just trying to scam us into using their product/service."
|
|
| | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | Author: | zorbanj | | Posted: | Dec 17, 2022 18:57 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 86 times | | Topic: | Administrative | |
|
| In Administrative, macebobo writes:
| | In Administrative, CE_Tanja writes:
| | Please rest assured that we are taking these things very seriously.
|
That was not my take away from your initial post. It felt to me like "No big
deal, these bozos are just trying to scam us into using their product/service."
|
I sit near the IT dept at my company (I'm not in IT myself) and vendors pull
this stunt all the time. The vendor hopes someone other than the person who decided
not to engage them sees the article and reconsiders them. Dirty pool.
|
|
| | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | Author: | macebobo | | Posted: | Dec 17, 2022 19:01 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 88 times | | Topic: | Administrative | |
|
| In Administrative, zorbanj writes:
| | In Administrative, macebobo writes:
| | In Administrative, CE_Tanja writes:
| | Please rest assured that we are taking these things very seriously.
|
That was not my take away from your initial post. It felt to me like "No big
deal, these bozos are just trying to scam us into using their product/service."
|
I sit near the IT dept at my company (I'm not in IT myself) and vendors pull
this stunt all the time. The vendor hopes someone other than the person who decided
not to engage them sees the article and reconsiders them. Dirty pool.
|
Yes and no. If they are white hat hackers, then it is good. If they are a vendor
trying to get you to use their service, then it is indeed dirty pool. This seems
like it may have been the later. Still, not a good way for BL to respond in
a public forum.
Comic guy (Mark) is in top form today:
http://v4ei.com/comics/index.php?id=breach
|
|
|
| | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | Author: | Nubs_Select | | Posted: | Dec 17, 2022 19:07 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 91 times | | Topic: | Administrative | |
|
| In Administrative, macebobo writes:
| | In Administrative, zorbanj writes:
| | In Administrative, macebobo writes:
| | In Administrative, CE_Tanja writes:
| | Please rest assured that we are taking these things very seriously.
|
That was not my take away from your initial post. It felt to me like "No big
deal, these bozos are just trying to scam us into using their product/service."
|
I sit near the IT dept at my company (I'm not in IT myself) and vendors pull
this stunt all the time. The vendor hopes someone other than the person who decided
not to engage them sees the article and reconsiders them. Dirty pool.
|
Yes and no. If they are white hat hackers, then it is good. If they are a vendor
trying to get you to use their service, then it is indeed dirty pool. This seems
like it may have been the later. Still, not a good way for BL to respond in
a public forum.
Comic guy (Mark) is in top form today:
http://v4ei.com/comics/index.php?id=breach
|
|
|
|
| | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | Author: | 1001bricks | | Posted: | Dec 18, 2022 00:57 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 82 times | | Topic: | Administrative | |
|
| In Administrative, macebobo writes:
| | In Administrative, zorbanj writes:
| | In Administrative, macebobo writes:
| | In Administrative, CE_Tanja writes:
| | Please rest assured that we are taking these things very seriously.
|
That was not my take away from your initial post. It felt to me like "No big
deal, these bozos are just trying to scam us into using their product/service."
|
I sit near the IT dept at my company (I'm not in IT myself) and vendors pull
this stunt all the time. The vendor hopes someone other than the person who decided
not to engage them sees the article and reconsiders them. Dirty pool.
|
Yes and no. If they are white hat hackers, then it is good. If they are a vendor
trying to get you to use their service, then it is indeed dirty pool. This seems
like it may have been the later. Still, not a good way for BL to respond in
a public forum.
Comic guy (Mark) is in top form today:
http://v4ei.com/comics/index.php?id=breach
|
The Unbelievable Truth.
Mark is so precious to us - I hope BrickLink deserves his talent.
|
|
|
| | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | Author: | Adjour | | Posted: | Dec 18, 2022 00:47 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 75 times | | Topic: | Administrative | |
|
| In Administrative, zorbanj writes:
| | In Administrative, macebobo writes:
| | In Administrative, CE_Tanja writes:
| | Please rest assured that we are taking these things very seriously.
|
That was not my take away from your initial post. It felt to me like "No big
deal, these bozos are just trying to scam us into using their product/service."
|
I sit near the IT dept at my company (I'm not in IT myself) and vendors pull
this stunt all the time. The vendor hopes someone other than the person who decided
not to engage them sees the article and reconsiders them. Dirty pool.
|
Came here to say this.
This occurs in all industries.
|
|
| | | | | | | | | |
| | | | | | | Author: | peregrinator | | Posted: | Dec 17, 2022 14:31 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 119 times | | Topic: | Administrative | |
|
| In Administrative, macebobo writes:
From the article, which then goes on to describe vulnerabilities totally unrelated
to the API:
| | Security analysts have discovered two API security vulnerabilities in BrickLink.com
|
|
|
| | | | | | | | | | | | | |
| | | | | | | | | Author: | macebobo | | Posted: | Dec 17, 2022 14:39 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 105 times | | Topic: | Administrative | |
|
| In Administrative, peregrinator writes:
| | In Administrative, macebobo writes:
From the article, which then goes on to describe vulnerabilities totally unrelated
to the API:
| | Security analysts have discovered two API security vulnerabilities in BrickLink.com
|
|
Not sure of your point, but it does not make the XSS and XXE vulnerabilities
any less concerning. I wrote it off to poor writing/journalism.
|
|
| | | | | |
| | | | | Author: | CPgolfaddict | | Posted: | Dec 17, 2022 16:58 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 102 times | | Topic: | Administrative | |
|
| Can you provide some assurance us by telling us the types of security scans that
you are running on BrickLink? You don't need to name brands/names of specific
tools. Just the sorts of things you are doing...
Are you running a DAST and/or IAST scan? (Dynamic and/or interactive scans)
This sort of application scan, (run on a test environment) probes the application
for breaches such as those mentioned in the article.
A SAST (static testing) may also help in this area.
known vulnerable patterns in the code itself.
SCA - Software Composition Analysis (e.g. looking for vulnerable Open Source
Libraries incorporated into the application). I'm used to calling this Open
Source SW scanning.
Secrets -- Scanning for api key/secret or an ID/PW inadvertently left in
the code itself.
In Administrative, CE_Tanja writes:
| | Dear BrickLink members,
A report has recently surfaced of a possible data breach on our website, BrickLink.com.
We can assure you, our members, that we have seen no evidence of any breach of
our systems and have no reason to believe that the data you entrust us with has
been compromised.
A short while ago, we were approached by a third party who offered their services
to fix several potential security loopholes they had identified. This third party
is not one of our suppliers and we did not request them to provide any analysis
or diagnosis of our systems.
When we did not engage the services of this third party, they apparently released
this “news” that a security breach could have happened on our site. Whereas it
is true that there is always a small possibility that data could be compromised
on any site, we feel this report unfairly portrays our website as unsafe.
We have invested substantially in our security system and are confident in its
ability to keep your data safe. In addition, we strictly follow the LEGO Group
standards for GDPR compliance and other legal requirements regarding the data
of our users.
Thanks for you attention, and please feel free to contact the Help Desk with
any questions you might have.
The BrickLink Team
|
|
|
|
| | | | | | | | | |
| | | | | | | Author: | SylvainLS | | Posted: | Dec 17, 2022 17:12 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 102 times | | Topic: | Administrative | |
|
| In Administrative, CPgolfaddict writes:
| | Can you provide some assurance us by telling us the types of security scans that
you are running on BrickLink? You don't need to name brands/names of specific
tools. Just the sorts of things you are doing...
Are you running a DAST and/or IAST scan? (Dynamic and/or interactive scans)
This sort of application scan, (run on a test environment) probes the application
for breaches such as those mentioned in the article.
A SAST (static testing) may also help in this area.
known vulnerable patterns in the code itself.
SCA - Software Composition Analysis (e.g. looking for vulnerable Open Source
Libraries incorporated into the application). I'm used to calling this Open
Source SW scanning.
Secrets -- Scanning for api key/secret or an ID/PW inadvertently left in
the code itself.
|
Looking for a job?
|
|
|
| | | | | | | | | | | | | |
| | | | | | | | | Author: | TheCuteGiraffe | | Posted: | Dec 17, 2022 18:27 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 82 times | | Topic: | Administrative | |
|
| | You giving em out? |
|
| | | | | | | | | |
| | | | | | | Author: | 1001bricks | | Posted: | Dec 17, 2022 17:40 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 79 times | | Topic: | Administrative | |
|
| | | Are you running a DAST and/or IAST scan?
|
I'm sure she knows, just like everyone!
I wouldn't do any such acronym thing (first), I'd just a CTRL+F on all
user Input fields and check if they're sanitized correctly... 
|
|
| | | | | |
| | | | | Author: | CPgolfaddict | | Posted: | Dec 17, 2022 17:28 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 95 times | | Topic: | Administrative | |
|
| Upon closer read.... near the end. So this is good....
"The security researchers reported the discovered vulnerabilities to LEGO, and
the company took action to fix all issues."
I am still professionally curious about the scans....
In Administrative, CE_Tanja writes:
| | Dear BrickLink members,
A report has recently surfaced of a possible data breach on our website, BrickLink.com.
We can assure you, our members, that we have seen no evidence of any breach of
our systems and have no reason to believe that the data you entrust us with has
been compromised.
A short while ago, we were approached by a third party who offered their services
to fix several potential security loopholes they had identified. This third party
is not one of our suppliers and we did not request them to provide any analysis
or diagnosis of our systems.
When we did not engage the services of this third party, they apparently released
this “news” that a security breach could have happened on our site. Whereas it
is true that there is always a small possibility that data could be compromised
on any site, we feel this report unfairly portrays our website as unsafe.
We have invested substantially in our security system and are confident in its
ability to keep your data safe. In addition, we strictly follow the LEGO Group
standards for GDPR compliance and other legal requirements regarding the data
of our users.
Thanks for you attention, and please feel free to contact the Help Desk with
any questions you might have.
The BrickLink Team
|
|
|
|
| | | | | | | | | |
| | | | | | | Author: | 1001bricks | | Posted: | Dec 17, 2022 17:44 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 82 times | | Topic: | Administrative | |
|
| | | I am still professionally curious about the scans....
|
Yep - me too - but you must professionnally know it's not your business (until
you're eventually in contract with them)
|
|
| | | | | |
| | | | | Author: | jodawill | | Posted: | Dec 17, 2022 20:57 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 127 times | | Topic: | Administrative | |
|
| In Administrative, CE_Tanja writes:
| | Dear BrickLink members,
A report has recently surfaced of a possible data breach on our website, BrickLink.com.
We can assure you, our members, that we have seen no evidence of any breach of
our systems and have no reason to believe that the data you entrust us with has
been compromised.
A short while ago, we were approached by a third party who offered their services
to fix several potential security loopholes they had identified. This third party
is not one of our suppliers and we did not request them to provide any analysis
or diagnosis of our systems.
When we did not engage the services of this third party, they apparently released
this “news” that a security breach could have happened on our site. Whereas it
is true that there is always a small possibility that data could be compromised
on any site, we feel this report unfairly portrays our website as unsafe.
We have invested substantially in our security system and are confident in its
ability to keep your data safe. In addition, we strictly follow the LEGO Group
standards for GDPR compliance and other legal requirements regarding the data
of our users.
Thanks for you attention, and please feel free to contact the Help Desk with
any questions you might have.
The BrickLink Team
|
That's not how this works. A security researcher isn't a "supplier."
The correct response when someone privately discloses a vulnerability is to say
thank you and fix it immediately. Reading between the lines here, it sounds like
Lego's response was simply to ignore them. The standard practice in the industry
is to publicly disclose vulnerabilities if the company doesn't respond because
sometimes (and apparently in this case) bad publicity is the only way to get
things fixed.
We owe a debt to security researchers for finding these vulnerabilities before
the bad guys do. Your post is incredibly disrespectful to the people who keep
us safe. If they hadn't reported this, someone else could have abused it.
Quite frankly, this is one of the worst responses I've ever seen to a security
finding. I expect more from The Lego Group.
|
|
|
| | | | | | | | | |
| | | | | | | Author: | wildchicken13 | | Posted: | Dec 18, 2022 10:45 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 72 times | | Topic: | Administrative | |
|
| In Administrative, jodawill writes:
| | The correct response when someone privately discloses a vulnerability is to say
thank you and fix it immediately. Reading between the lines here, it sounds like
Lego's response was simply to ignore them.
|
My impression of the article was the opposite:
The security researchers reported the discovered vulnerabilities to LEGO,
and the company took action to fix all issues.
Which is the "correct" response as you stated above.
|
|
| | | | | | | | | |
| | | | | | | Author: | rv6abob | | Posted: | Dec 18, 2022 16:34 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 109 times | | Topic: | Administrative | |
|
| In Administrative, jodawill writes:
| | In Administrative, CE_Tanja writes:
| | Dear BrickLink members,
A report has recently surfaced of a possible data breach on our website, BrickLink.com.
We can assure you, our members, that we have seen no evidence of any breach of
our systems and have no reason to believe that the data you entrust us with has
been compromised.
A short while ago, we were approached by a third party who offered their services
to fix several potential security loopholes they had identified. This third party
is not one of our suppliers and we did not request them to provide any analysis
or diagnosis of our systems.
When we did not engage the services of this third party, they apparently released
this “news” that a security breach could have happened on our site. Whereas it
is true that there is always a small possibility that data could be compromised
on any site, we feel this report unfairly portrays our website as unsafe.
We have invested substantially in our security system and are confident in its
ability to keep your data safe. In addition, we strictly follow the LEGO Group
standards for GDPR compliance and other legal requirements regarding the data
of our users.
Thanks for you attention, and please feel free to contact the Help Desk with
any questions you might have.
The BrickLink Team
|
That's not how this works. A security researcher isn't a "supplier."
The correct response when someone privately discloses a vulnerability is to say
thank you and fix it immediately. Reading between the lines here, it sounds like
Lego's response was simply to ignore them. The standard practice in the industry
is to publicly disclose vulnerabilities if the company doesn't respond because
sometimes (and apparently in this case) bad publicity is the only way to get
things fixed.
We owe a debt to security researchers for finding these vulnerabilities before
the bad guys do. Your post is incredibly disrespectful to the people who keep
us safe. If they hadn't reported this, someone else could have abused it.
Quite frankly, this is one of the worst responses I've ever seen to a security
finding. I expect more from The Lego Group.
|
I couldn't have said this better myself. I have worked in IT Security and
believe me, there are many of these type incidents. Most of these happen because
companies don't keep all there software updated with the latest security
fixes. The proper response to these incidents is to acknowledge the issue, disclose
the fix and move on.
|
|
|
| | | | | |
| | | | | Author: | Shiran | | Posted: | Dec 20, 2022 15:27 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 206 times | | Topic: | Administrative | |
|
| Well well...
Not only that is an utter lie and nobody offered you any "service to fix
several potential security loopholes they had identified", but simply disclosed
the issues to you guys before publishment. Which is the responsible way to do
a coordinated disclosure.
Moreover, when I did the security research on your website I only touched the
tip of the iceberg and found those vulnerabilities. I bet that if I had continued
I'd find ten times more and could've taken over your administrative account
and given any statement I want to the BrickLink community.
Unfortunately for you, I'm already on my next venture to keep the world safe
and will not conduct any further research nor disclose any other vulnerabilities
to BrickLink.
As a concerned Lego fan myself, and especially after witnessing the level of
security in your website I'd strongly advise you guys do some serious work
securing your website instead of giving false statements to your community.
Cheers
In Administrative, CE_Tanja writes:
| | Dear BrickLink members,
A report has recently surfaced of a possible data breach on our website, BrickLink.com.
We can assure you, our members, that we have seen no evidence of any breach of
our systems and have no reason to believe that the data you entrust us with has
been compromised.
A short while ago, we were approached by a third party who offered their services
to fix several potential security loopholes they had identified. This third party
is not one of our suppliers and we did not request them to provide any analysis
or diagnosis of our systems.
When we did not engage the services of this third party, they apparently released
this “news” that a security breach could have happened on our site. Whereas it
is true that there is always a small possibility that data could be compromised
on any site, we feel this report unfairly portrays our website as unsafe.
We have invested substantially in our security system and are confident in its
ability to keep your data safe. In addition, we strictly follow the LEGO Group
standards for GDPR compliance and other legal requirements regarding the data
of our users.
Thanks for you attention, and please feel free to contact the Help Desk with
any questions you might have.
The BrickLink Team
|
|
|
|
| | | | | | | | | |
| | | | | | | Author: | macebobo | | Posted: | Dec 20, 2022 15:31 | | Subject: | (Cancelled) | | Viewed: | 71 times | | Topic: | Administrative | |
|
| | (Cancelled) |
|
| | | | | | | | | | | | | |
| | | | | | | | | Author: | 1001bricks | | Posted: | Dec 20, 2022 15:33 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 95 times | | Topic: | Administrative | |
|
| | | What's your point or is this just an ego flex?
|
I'd guess it's a reply to "that we have seen no evidence of any breach
of our systems"?
|
|
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | Author: | macebobo | | Posted: | Dec 20, 2022 19:47 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 127 times | | Topic: | Administrative | |
|
| In Administrative, 1001bricks writes:
| | I'd guess it's a reply to "that we have seen no evidence of any breach
of our systems"?
|
Yeah, I deleted it when I realized who I was replying to. Had my head deep in
a dryer repair today, a popped into the forum during lunch.
Here is a blog post written by Shiran: https://salt.security/blog/missing-bricks-finding-security-holes-in-lego-apis
|
|
| | | | | | | | | |
| | | | | | | Author: | 1001bricks | | Posted: | Dec 20, 2022 15:31 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 84 times | | Topic: | Administrative | |
|
| In Administrative, Shiran writes:
| | Well well...
Not only that is an utter lie and nobody offered you any "service to fix
several potential security loopholes they had identified", but simply disclosed
the issues to you guys before publishment. Which is the responsible way to do
a coordinated disclosure.
Moreover, when I did the security research on your website I only touched the
tip of the iceberg and found those vulnerabilities. I bet that if I had continued
I'd find ten times more and could've taken over your administrative account
and given any statement I want to the BrickLink community.
Unfortunately for you, I'm already on my next venture to keep the world safe
and will not conduct any further research nor disclose any other vulnerabilities
to BrickLink.
As a concerned Lego fan myself, and especially after witnessing the level of
security in your website I'd strongly advise you guys do some serious work
securing your website instead of giving false statements to your community.
|
Agreed - unfortunately - and thanks for your work and communication with TLG
as shown in your article in https://salt.security Shiran!
We need people like you.
|
|
|
| | | | | | | | | |
| | | | | | | Author: | StarBrick | | Posted: | Dec 20, 2022 15:45 | | Subject: | Re: Article about a BrickLink data breach - Thanks | | Viewed: | 84 times | | Topic: | Administrative | |
|
| Glad you did what you (guys?) did!
And thanks for posting it here too.
Doesn't take the feeling away Lego should have responded differently, but
my take is that you are 'on our side'. If there are any, that is... .
|
|
| | | | | | | | | |
| | | | | | | Author: | UTLF | | Posted: | Dec 20, 2022 19:05 | | Subject: | (Cancelled) | | Viewed: | 100 times | | Topic: | Administrative | |
|
| | (Cancelled) |
|
| | | | | |
| | | | | Author: | CE_Tanja | | Posted: | Dec 21, 2022 15:05 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 239 times | | Topic: | Administrative | |
|
|
BrickLink
ID CardCE_Tanja
|
| Location: USA, California |
| Member Since |
Contact |
Type |
Status |
| Feb 17, 2021 |
|
Admin |
|
|
| BrickLink Administrator |
|
| Dear all,
Thanks for your comments and curiosity around the details of this incident.
On reflection, our statement could have been clearer. In this instance, a member
of the community got in touch with us regarding their research findings. Based
on this, we took all precautionary measures to address the vulnerability they
raised and rolled out a fix in early November.
We appreciate they got in touch, but also want to assure everyone that at no
time was any data at risk.
We’re very serious about the security of Bricklink and will continue to take
all necessary steps to make sure the site and users’ data is safe
The BrickLink Team
In Administrative, CE_Tanja writes:
| | Dear BrickLink members,
A report has recently surfaced of a possible data breach on our website, BrickLink.com.
We can assure you, our members, that we have seen no evidence of any breach of
our systems and have no reason to believe that the data you entrust us with has
been compromised.
A short while ago, we were approached by a third party who offered their services
to fix several potential security loopholes they had identified. This third party
is not one of our suppliers and we did not request them to provide any analysis
or diagnosis of our systems.
When we did not engage the services of this third party, they apparently released
this “news” that a security breach could have happened on our site. Whereas it
is true that there is always a small possibility that data could be compromised
on any site, we feel this report unfairly portrays our website as unsafe.
We have invested substantially in our security system and are confident in its
ability to keep your data safe. In addition, we strictly follow the LEGO Group
standards for GDPR compliance and other legal requirements regarding the data
of our users.
Thanks for you attention, and please feel free to contact the Help Desk with
any questions you might have.
The BrickLink Team
|
|
|
|
| | | | | | | | | |
| | | | | | | Author: | macebobo | | Posted: | Dec 24, 2022 12:08 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 108 times | | Topic: | Administrative | |
|
| In Administrative, CE_Tanja writes:
| | Dear all,
Thanks for your comments and curiosity around the details of this incident.
On reflection, our statement could have been clearer. In this instance, a member
of the community got in touch with us regarding their research findings. Based
on this, we took all precautionary measures to address the vulnerability they
raised and rolled out a fix in early November.
We appreciate they got in touch, but also want to assure everyone that at no
time was any data at risk.
We’re very serious about the security of Bricklink and will continue to take
all necessary steps to make sure the site and users’ data is safe
|
OMG, BL needs a good PR person stat, this statement is so full of BS.
Comic guy (Mark) said it best...
http://v4ei.com/comics/index.php?id=moutarde
|
|
|
| | | | | | | | | | | | | |
| | | | | | | | | Author: | Nubs_Select | | Posted: | Dec 24, 2022 12:40 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 84 times | | Topic: | Administrative | |
|
| In Administrative, macebobo writes:
| | In Administrative, CE_Tanja writes:
| | Dear all,
Thanks for your comments and curiosity around the details of this incident.
On reflection, our statement could have been clearer. In this instance, a member
of the community got in touch with us regarding their research findings. Based
on this, we took all precautionary measures to address the vulnerability they
raised and rolled out a fix in early November.
We appreciate they got in touch, but also want to assure everyone that at no
time was any data at risk.
We’re very serious about the security of Bricklink and will continue to take
all necessary steps to make sure the site and users’ data is safe
|
OMG, BL needs a good PR person stat, this statement is so full of BS.
Comic guy (Mark) said it best...
http://v4ei.com/comics/index.php?id=moutarde
|
those comics are the best!
|
|
|
| | | | | | | | | | | | | |
| | | | | | | | | Author: | ImperialFleet | | Posted: | Dec 24, 2022 12:45 | | Subject: | Re: Article about a BrickLink data breach | | Viewed: | 111 times | | Topic: | Administrative | |
|
| Heheh, so true
MBA
|
|
|
|
|
Canada, Ontario
France, Provence-Alpes-Côte d'Azur
Australia, Victoria
Israel, Mehoz HaMerkaz
Netherlands, Gelderland
