Nearly a million passports just exposed on the public internet—and anyone could access them with a simple URL (cambridgeanalytica.org)
from yogthos@lemmy.ml to privacy@lemmy.ml on 30 Jun 14:17
https://lemmy.ml/post/49434954

archive.ph/a6Tmo

#privacy

threaded - newest

Hirom@beehaw.org on 30 Jun 14:55 next collapse

[…] PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe.

Get ready for many more leaks, as governments require identity and age verification everywhere online.

Many organisations, which cannot be trusted with this data, are going to be processing it.

desmosthenes@lemmy.world on 30 Jun 15:24 next collapse

first off - how is cambridge analytica still a thing in 2026?

ExperimentalGuy@programming.dev on 30 Jun 15:26 next collapse

That’s exactly what I was thinking

fubbernuckin@lemmy.dbzer0.com on 30 Jun 17:14 next collapse

They even mention the Cambridge analytica scandal for some reason

surewhynotlem@lemmy.world on 01 Jul 13:25 collapse

Probably AI written and they didn’t put “Don’t make us look like idiots” in the prompt.

0_o7@lemmy.dbzer0.com on 01 Jul 13:24 next collapse

It seems someone re-registered the expired domain and turned it into whatever it is today.

whois.domaintools.com/cambridgeanalytica.org

  • 299 days old
  • Created on: 2025-09-05
  • Expires on: 2026-09-05
SirSmoothAES@lemmygrad.ml on 30 Jun 15:57 collapse

Wiki says they’re defunct, so some party must have bought their website or something.

AmyAye@nord.pub on 01 Jul 00:29 next collapse

“Oops, welp, better get a new one with a stupid scowling Trump on it!”

– Idiot Administration probably

trilobite@lemmy.ml on 10 Jul 05:34 next collapse

Has the link gone down? I get error when trying to access

yogthos@lemmy.ml on 10 Jul 13:01 collapse

yeah here’s an archive archive.ph/a6Tmo

Maeve@kbin.earth on 10 Jul 05:41 collapse

The comments on combinator:

I have a real problem with the pretense posed by the article that the club has no blame. They should have understood the risk they were taking on by subcontracting a vendor to collect passports, and better vetted that vendor. Obviously the service provider was completely inept, but that doesn't absolve the fools using them.
I preach to my clients this sort of PII should be treated as a toxic, hazardous substance. Ideally don't touch it with a 10 foot pole, and if you can't help it then limit the scope, protect it with strong access policies that severely limit who can touch it (including encryption keys conservatively custodied), and securely delete it all as soon as possible.

Too many companies these days point you to shoddy third parties for some kind of functionality (e.g. book an appointment, perform KYC on you, host the online learning platform for your course, etc.), inappropriately foisting both a new business relationship on you that you never asked for along with their partner's terms of service that you have no bargaining power in negotiating.

This is a side-effect of the SaaS era, and the model is broken.

jwr 9 days ago | parent | next [–]

If these kinds of breaches were actually costly, then people would indeed treat PII as toxic. But they aren't. The media brouhaha blows over within a week or so, and things are fine again.
Leaking PII should be very, very expensive, and then this idiocy would stop.