Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I believe a common reason for this is that they don't want to announce it until they're completely sure the breach is gone and that they have control of things again. Announcing that it happened and that it's ongoing forces them to either cease operations or face liability.


So covering up a known in-progress security breach is standard procedure? Instead of telling your users to change their passwords and so on?

Personally, I demand criminal investigation and at least a $1000 fine per account breached.


Yeah, that sucks because I have my business stuff with them (I know, I know). On the bright side I didn't receive an email so maybe they didn't get the biz accounts. Changed my pw anyway.

And something's changed with their biz accounts anyway- it's been sold/rebranded or something and I'm not sure where the future lays... :[


I don't think they actually broke any laws. How do you expect them to be charged for your demands?


You got me, they only broke the law in 47 states.

http://www.ncsl.org/research/telecommunications-and-informat...


The California law, for example, just says it needs to be "expedient" without defining time limits. It isn't clear that they violated that law at all. They are disclosing a very large breach and I would assume that if they do see suits here, they will be civil suits.


Yes, making demands in a web forum is the way to resolve this.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: