whoami (sic), Valid question. I have held many titles, but with reference to this post, you may refer to me as a security researcher that walks a very thin line, but understands the thresholds of the systems I choose to be a part of. A name pro fan? Donโt feel special, I make my presence known on forums that belong to your competitors as well, regardless of their politics. Also a privacy advocate and data protection officer concerned with how companies use and store data. Any company that does business in the state of California or the European Union and soon to be many more states is subject to oversight, regardless of how that makes them feel. Many times you donโt have to โHackโ in order to obtain the data, for instance, it required no hacking for me to verify that Epik purchased a company called Cityinformation BV, I just did a google search with a couple properly punctuated terms and a wealth of information was available, which in and of itself could be benign, but in the event of a breach it shows that there are many compliance issues, and when a company does any business in the EU that is a problem with the GDPR, also If a business holds data on any customers who are residents of the state of California and there privacy is breached that becomes an issue with the Attorney general of California. With respect to PCI DSS information that is a completely different situation and falls under the governance of the PCI Security Standards council, which brings us to the issue of Unsalted Md5 hashes and CVV numbers. There is a minimum threshold companies must adhere to in order to be in compliance with those standards and my assessment leads me to believe that threshold was not met. Period. Now you can take my assessment with a grain of salt, just make sure you use that salt for the Md5 hashes of any credit card information that is stored on your servers, or do as many do and use a third party vendor to process payments, which in the case of Epik became increasingly harder, not because of their political stance, but because of their poorly written code and their complete lack of cybersecurity, a term I personally loathe, because anybody within an organization that claims their system is secure IS the vulnerability. Consider the Epik breach a cautionary tale and use the information you are being presented by people who may not share your world view as free advice. Advice that would normally cost you a hefty price. As for those who are asking for clarification on terms they may not be familiar with, I offer you this: become familiar with these terms, google them if you have to, but learn them.
