OP links to a copy of the email I received this morning.
Yet another company with a far too relaxed approach to security. What bothers me though is that they discovered this 2 weeks ago and I'm only hearing about it now.
Salts are considered public in terms of if they are leaked it's not damaging in and of itself. The entire purpose of them is to prevent people with the same password having the same password hash. Now if the salt was your name or something that's a different problem.
> The entire purpose of them is to prevent people with the same password having the same password hash.
... which helps prevent against the use of existing rainbow tables, as the hash from site A won't be the same as site B, even if the underlying password is the same.
Hi, I'm the guy who's pretty much responsible for all of this, but I just wanted to clarify a few things.
> Yet another company with a far too relaxed approach to security
I don't think we have a relaxed approach to security, we do our best to take it as seriously as possible. Sadly, we have only 3 programmers, a large legacy code base and generally insufficient resources. As we provide public data dumps anyway, it's unfortunate that mistakes can become as magnified as this one, but it did happen. It's not a reason this should of happened, and nor is it meant to be an excuse, but I don't think many people are aware of this.
> What bothers me though is that they discovered this 2 weeks ago and I'm only hearing about it now.
Yes, I've worked night and day to try and get the work necessary to even sand these emails out for the past fortnight. We've never had to do mass mailing like this, so we simply don't have the infrastructure to send the emails. Again, it's not really a reasonable explanation, but that's why it happened.
Hi there, thanks for taking the time to reply. I appreciate the effort involved and apologise for my harsh words - I've just been a little frustrated as it's getting to be a weekly occurrence that some company loses my data / password / credit card details.
Amen, I'd like to push the blame on the fact that we still even have to deal with passwords and stuff in this day and age, but that's hardly putting a better suggestion forward :(
Their site in general is pretty dumb. I logged in and deleted my account but it didn't log me out, it just changed my name to 'Deleted Editor #XXXXXX' - I can still edit all the account details.
Yet another company with a far too relaxed approach to security. What bothers me though is that they discovered this 2 weeks ago and I'm only hearing about it now.
The blog post they link to is dated April 5th: http://blog.musicbrainz.org/?p=1844