Today I learned about flare.io, a company that provides other companies with detailed intel about data leaks affecting them.
-
Today I learned about flare.io, a company that provides other companies with detailed intel about data leaks affecting them.
Here's the catch: Unlike @haveibeenpwned or even intelx, they store everything that they can get their hands on. During a live demo, they proudly pulled up all email/password pairs that they have for a company that is not one of their customers, showed off how it saves not just the combo but everything the infostealer got, including all browser cookies and a screenshot of the personal machine of an affected employee.
So many things wrong with this..
- We just told them which company to look up, no verification at all.
- Bringing a demo laptop logged in to a "full admin" account that can see all data that they have access to, to a conference stand
- Storing a screenshot of a personal machine from an employee is absolutely not okay.
- and so much more...
When asked about legalities, they claim "it's based on needing to know this information for the companies" and falsely claimed "haveibeenpwned does the same thing, they also sell access to the combos" 🫨
Anyway, i sent a GDPR request for my data (and subsequent deletion), let's see what happens.
-
R relay@relay.infosec.exchange shared this topic
