back to article 'Cuddly' German chat app slacking on hashing given a good whacking under GDPR: €20k fine

German chat platform Knuddels.de ("Cuddles") has been fined €20,000 for storing user passwords in plain text (no hash at all? Come on, people, it's 2018). The data of Knuddels users was copied and published by malefactors in July. In September, someone emailed the company warning them that user data had been published at …

  1. GnuTzu
    Thumb Up

    I Love It

    Enforcement of laws against stupidity. Yeah, if you've got people's data and you don't even use minimally reasonable security practices, smack up side the head. 'Nuff said.

  2. Korev Silver badge
    Stop

    As well as acknowledging Knuddels' cooperation, the authority's State Commissioner for Data Protection and Freedom of Information, Stefan Brink, said it was avoiding the temptation to enter a "competition for the highest possible fines".

    The watchdog also wanted to avoid bankrupting the company. "The overall financial burden on the company was taken into account in addition to other circumstances," the authority noted. ®

    Shame, a colossal fine that threatens a company's existence is exactly the thing that would make organisations take security seriously.

    1. a_yank_lurker

      @Korev - I think the fine is reasonable as Knuddels apparently copped a mea culpa and fixed the problem (the real intent here). The idea of having a massive fine available is for the Zuckerbergs of the world who did not make dumb mistake but don't care about protecting user data. For the dumb mistakes that are fixed, a mild fine for being stupid. For the Zuckerbergs, bankrupt the bastards.

      1. Richard Jones 1
        Thumb Up

        @a_yank_lurker Right On

        Sorry I can only give you one upvote, my impression is that as an early offer action and fully explaining what was done it struck the right note. I suspect that the scale of response might tend to increase as the system beds in, though always with the perpetrator's intent in mind. The Zuckerbergs of this world have a mind set only on maximum return for them and to hell with everything and everyone who might threaten that result.

      2. Helena Handcart

        But storing passwords in plain text is more than just a dumb mistake! If the monkey they trusted with thr development of the user registration can't even get their head around the need for it, they deserve to have their heads on pikes at the front gate.

        If someone had decided to roll their own crappy crypto, that would at least be understandable.

        1. Mark 85

          ...they deserve to have their heads on pikes at the front gate.

          At some point, the enforcers of GDPR should do this as an example to others. At this point, heavy fines are just a threat. The law might have teeth but the implantation doesn't so where's the motivation for companies to comply? Or two heads on pikes would go a long way to getting others into compliance.

        2. Anonymous Coward
          Anonymous Coward

          Sure, but what if the site owners are non-techies who hired "specialists" to do the work?

          1. Tomato42

            then the owners clearly failed their due diligence in hiring those specialists

            having a "vision" is only part of C-level duties

            1. John Brown (no body) Silver badge

              "then the owners clearly failed their due diligence in hiring those specialists"

              Is this a case of hiring in more specialists to check the first lot? Who checks the second lot? Specialists all the way down?

              1. Jamie Jones Silver badge

                That's the thing...

                There's a largish shop in my village growing up, selling model railway stuff. It seemed quite specialist and out of place for a small village, but it turned out they had a strong national reputation and mail-order presence.

                Now, I've no idea of their current business, or technical skills or website presence, so this is not related to them specifically, but imagine a fiicticious family company like that.

                Presumably they'd by now have got a web presence, where most of their sales would be made. They need a website. They are a single store, family shop, but require a relatively decent online shop - the vast majority of orders would presumably come that way.

                Now, they know nothing about the internet, but do know enough about the business to know that they need something more professional than grand-son Johnny to code it, so they search for a company to do the job, and then... the same thing as in this article happens to them.

                Should they have known to use a third party transaction site? Should they have known to audit password storage methods?

                They hired specialists. As John says, specialists all the way down?

                By the way, I'm not writing this as a "gotcha". Presumably they have some sort of protection, but if a dodgy builder caused my house to fall down, presumably he'd be in some guild of builders than underwrite insurance on jobs?

                In this case? I dunno. I'm curious, but stupid.

                [ EDIT: I just googled the company I originally mentioned. They're still going, over 30 years later, but no ordering website, just some crappy front page template looking from the early 90's... There's more info on them via google maps than via their own website.. wow! ]

                1. tim 13

                  As a rilway modeller, now I'm curious!

                  1. Jamie Jones Silver badge

                    :-)

                    As I said, I have no idea how their business runs - my example was not based on them, but a "mythological company like them"

                    But this is them! :

                    Holt Model Railways, Bishopston, Swansea

                    1. Anonymous Coward
                      Anonymous Coward

                      holtmodelrailways.co.uk

                      ARGH MY EYES

            2. Doctor Syntax Silver badge

              having a "vision" is only part of C-level duties

              But who's going to explain that to them?

          2. brotherelf

            You still need to have a stack of paperwork that is signed off by the company's DP officer. (Who in this case, or so the rumour goes, only found out aboút the passwords when the excrement-propeller distance was already critical.)

            Basically, GDPR extends the usual Weinberg's Second Law from engineering to about as big an effort on top in paperwork.

          3. Doctor Syntax Silver badge

            Sure, but what if the site owners are non-techies who hired "specialists" to do the work?

            They can sue the specialists for €20k. After all, in such circumstances the specialists would have deserved to be fined.

        3. Anonymous Coward
          Anonymous Coward

          You brought up an interesting point

          "If someone had decided to roll their own crappy crypto, that would at least be understandable."

          What level of encryption and/or obfuscation is acceptable as a minimum?

          Are there hard and fast rules regarding this or just recommendations?

          Could the developer get away with just base 64 encoding users details?

          1. A.P. Veening Silver badge

            Re: You brought up an interesting point

            "Could the developer get away with just base 64 encoding users details?"

            That would depend on the technical expertise of the watch dog, but I doubt it. Besides that, base 64 encoding is rather inefficient, at least for storage.

            1. John Brown (no body) Silver badge

              Re: You brought up an interesting point

              "Besides that, base 64 encoding is rather inefficient, at least for storage."

              Yeah, even ROT13 is more efficient!

          2. Helena Handcart

            Re: You brought up an interesting point

            While base64 is an encoding and not crypto, I get your point. The rule of thumb I was taught is to stop when the cost of developing the crypto exceeds the value of the data. So as they were fined €20k, that would give them 2-4 developer months of time (less if they were HPCs). If it takes someone that long to type h=crypto.md5(password) then they are a VHPC.

            1. itguy

              Re: You brought up an interesting point

              h=crypto.md5(password) ???

              Md5? Surely you're not still using this for hashing passwords?

              1. Helena Handcart

                Re: You brought up an interesting point

                I think you missed the point, md5 is not great by today's standards, but it's orders of magnitude better than plain text.

          3. Zonker Zoggs
            Stop

            Re: You brought up an interesting point

            Base64 would certainly not suffice, as its an encoding, not encryption:

            https://stackoverflow.com/questions/4070693/what-is-the-purpose-of-base-64-encoding-and-why-it-used-in-http-basic-authentica

      3. Doctor Syntax Silver badge

        "I think the fine is reasonable as Knuddels apparently copped a mea culpa and fixed the problem"

        Those are factors to take into account. But at some point the message needs to get across that you can't just wander into setting up a site with no knowledge that you need to secure it, or maybe no knowledge of whether the people you entrusted to do that actually did so. If people can get away with saying sorry and fixing it after the event they will, and that doesn't undo the damage that might have been caused. From this event it's probably 800k people who need to change their email addresses with all the inconvenience that causes to get off spam lists and maybe a few of those will lose money getting scammed along the way. Repeat for every business that hasn't got the message yet.

      4. pavel.petrman

        Re: correct dumb mistakes and bankrupt the bastards.

        Yes.

        Contrary to popular belief, Europe could actually learn an important bit in the mosaic called "success" from Germany. My several years long experience with scores of Beamte (German public servant) is that they are given quite a wiggle room by the law and they tend to use it with consideration of all parties involved. Single mother failed to file a tax report appendix gets a different treatment than a used car dealership making the same mistake third time in a row. It is my unsubstantiated feeling that the loose law is not abused to a greater degree than a seemingly strict one in other countries. Matters of public interest, like this one, are accompanied by a sentence or two of explanation, again, usually to the point and without much political newspeak. I like to call it a governance soft skill, and to a great regret of the almost dead citizen in me it is not given the sort of attention it ought to earn in other countries proclaiming the intent to get as rich and effective in governing as Germany.

  3. d3rrial

    Well Microsoft also store passwords for their Office 365 in plain text and nobody is complaining there.

    1. Martin Summers Silver badge

      I call bollocks on that one.

      1. d3rrial

        Feel free to present me an alternative reason for limiting the password length to a maximum of 16 characters.

        1. Jamie Jones Silver badge
          Happy

          .... saving upload bandwidth? :-)

        2. Tom Chiverton 1

          Keeping it within the hash table space of TLAs...

    2. Adam Azarchs

      Wouldn't know about MS, but banks...

      HSBC at least I'm certain is storing my password in plain text.

      How do I know? Each time I log in they choose a random subset of characters from my password which they want me to enter. I'm not clear on what the point of this process is (making password managers harder to use would be my guess, because their IT security staff apparently live in backwards-land) but unless they've stored a hashes for every possible combination of 4-character subsamples of my password (which wouldn't be a whole lot better, mathematically) then they're storing it plain-text.

      1. Richard Jukes

        Re: Wouldn't know about MS, but banks...

        That is not your password. It is a security phrase. And they have drop down boxes to defeat key logging software.

        I'm sure your actual password is hashed.

        1. Anonymous Coward
          Anonymous Coward

          Re: Wouldn't know about MS, but banks...

          the password is probably never stored (hashed or unhashed) as a complete string

          with a couple of the UK banks login is as follows...

          Step 1 : enter customer id - date of birth followed by a 4 digit number (the 4 digit part is sequential based on account creation and the date of birth, I know this because I have a couple of business accounts with sequential id numbers)

          Step 2 : enter 3 randomly chosen characters from a chosen pin No (not the card pin) - standard form fields not drop down

          Step 3 : enter 3 randomly chosen characters from your password - again standard form field not drop down

      2. knottedhandkerchief

        Re: Wouldn't know about MS, but banks...

        HSBC, FirstDirect and Charles Stanley do similar. I notice a pattern - only about six or so combinations are requested, so I guess they hash all those combinations.

  4. DrXym

    Not the only one by any stretch

    I remember trying to log into a site (a primary school magazine/blog thing) clicking the "I forgot my password" and receiving an email telling me my password as plaintext.

    I use throwaway passwords for trivial sites so the damage wasn't big but I could well imagine that there are many sites like this and many users who use the same password across multiple sites.

  5. adam payne

    The watchdog also wanted to avoid bankrupting the company. "The overall financial burden on the company was taken into account in addition to other circumstances," the authority noted.

    Sounds like their up to their eyeballs in debt and 20k was the best the watchdog could hope to get.

  6. Anonymous Coward
    Anonymous Coward

    Come on register any excuse for a picture of the late great Keith Harris and Cuddles the Chimp.

    https://www.bbc.co.uk/news/entertainment-arts-32495447

    1. Anonymous Coward
      Anonymous Coward

      Come on register any excuse for a picture of the late great Keith Harris and Cuddles the Chimp.

      https://www.bbc.co.uk/news/entertainment-arts-32495447

      Well, that wasn't, that was a piccy of the late Keith with that annoying Duck

      signed Cuddles

  7. EnviableOne

    Reversable encryption

    there was a time when the planetext was available, however the storage was encrypted with this lovley algorythm called AES. Avoided all this collison mallarkey and allowed those part password challenges.

    the problem is you get one key and the castle's gone....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like