Hacker News new | past | comments | ask | show | jobs | submit login

I've worked for multiple Fortune 25 companies, and that excuse does not fly. Not in banking or healthcare, where breaches of privacy/confidentiality are actually illegal, rather than merely distasteful. Small teams and careless devs doing that sort of bad logging will be caught and corrected by strict security oversight.

This is the sort of thing that leads the HN crowd to sneer at the old, slow ways of the enterprise world.




The passwords in plaintext wasn't a breach or a leak. If you punish Facebook for it, they would be less inclined to share such information in the future.


If we can't trust a company to audit themselves fairly (in fact, we can't generally) then they should bear the burden of paying for an external audit of their processes, many "boring" industries have these sorts of requirements.


That's how you handle children, though. No one is going to ignore wrongdoings in hopes the perp will continue to play nicely.


There might not have been a large-scale public data dump of passwords, but if 20,000[1] employees had access to logs with plaintext passwords, there is no guarantee I could ever accept that zero of them read or used customer passwords for personal purposes.

What's to stop a malicious ex-lover from grabbing a FB password and reading that person's private messages? If FB didn't even know there were passwords in plaintext, they very likely weren't auditing log access as much as was needed.

[1] https://www.theverge.com/2019/3/21/18275837/facebook-plain-t...


Malicious insiders don't need your password to access your data. If you are concerned about malicious insiders then plaintext password logs don't matter.


I'm more concerned with plaintext passwords because most people use the same passwords over and over, so if you can break one system, you can break others.


With FB's dataset and employee count, it would be insane not to be concerned with malicious insiders. Even if you completely discount morality and honesty where Facebook is concerned (and I do), there's substantial liability risk, PR risk, regulatory risk and commercial paranoia, which I suspect was likely their biggest concern, at least until recently.


There's a dead sibling to my comment mentioning that your congruence.io website has an expired SSL certificate, fyi.


There is no oversight in a Devops world. New systems come up in protoduction, celebrations are had, and the data protection officers and security compliance officers remain in blissful ignorance.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: