Comment by pentagrama
16 hours ago
Maybe it’s a naive question, but in many breach reports I see things like 'No passwords, private keys, or funds were exposed.' How come companies can usually protect that kind of data, but not emails, names, and other personal info?
Companies want the ability to use things like emails, names, and other data for user experiences (go to settings, see name and change it), advertising (target this address book for X ad), etc. So these are typically plaintext (oversimplified) and accessible by different systems while passwords or private keys have one use case only and can have a higher bar of protection.
Such data is typically encrypted and purely write-only, only read by the system itself. Thus it is only exposed if the database itself is exposed. If the leak was compromise of the systems that access the data (which appears to be the case here--insiders copied data they could access) the write-only info is not exposed.
A properly implemented login system will never store a password in the first place. Properly hashed passwords can still be cracked in some cases, but if your password is strong and the hash is good, it’s safe.
It was some BI/analyst database that leaked?