Justin Robert, the CEO of Hong Kong-based Hzone, has issued a statement regarding the public disclosure that his company's app used a misconfigured database and exposed 5,000 users. But rather than answers, his statements and random accusations only lead to more questions.
Note: This is a follow-up story to the original posted here.
Sometime before November 29, the database that powers a dating app for HIV-positive singles (Hzone) was misconfigured and exposed to the web.
The database housed personal information on more than 5,000 users including date of birth, relationship status, religion, country, biographical dating information (height, orientation, number of children, ethnicity, etc.), email address, IP details, password hash, and any messages posted.
The researcher who discovered the database, Chris Vickery, turned to Databreaches.net for help getting the word out about the data breach and for assistance with contacting the company to address the issue.
For than a week, notices sent by Dissent (admin of Databreaches.net) and Vickery went ignored. It wasn't until Dissent informed Hzone that she was going to write about the incident that they responded.
Once HZone responded to the notification emails, the first message threatened Dissent with HIV infection, though Robert later apologized for that, and later said it was a misunderstanding. Subsequent emails asked Dissent to keep quiet and not disclose the fact that Hzone users were exposed.
In a statement, Hzone CEO, Justin Robert, says that the original notification emails went to the junk folder, which is why they were missed. However, according to his statements sent to the media – including Salted Hash – his company was working for a week to get the situation resolved.
"Our database security experts worked tirelessly for a week at a stretch to ensure that all data leakage points were plugged and secured for the future... Our systems have captured vital data pertaining to the group involved in the condemnable act of hacking into our databases. We firmly believe that any attempt to steal any sort of information is a despicable and immoral act, and reserve the right to sue the involved parties in all relevant courts of law..." – Justin Robert, CEO, Hzone (12-16-2015)
So if he didn't see the notifications for a week, and according to his emails to Dissent on December 13, the company didn't know about the leaking database until reading the notification emails – how did the company know to fix the problems?
Notifications were first sent on December 5, and the issue wasn't actually resolved until December 13, the day Robert first responded to Dissent.
"We noticed the database leaking at around 12:00 AM on Dec 13th, and an hour later, the hacker accessed our server and changed our users' profile description to 'This app is about users' database leaking, don't use it'. Around 1:30 AM on Dec 14th, our IT team recovered it and secured our server," Robert told Salted Hash in an email.
In several emails to Dissent sent on the day the database was secured, Robert accused Dissent of changing the Hzone user database. But follow-up emails suggest that the company couldn't tell what was accessed or when, as Robert says Hzone doesn't have "a strong tech team to maintain the site."
In another email Robert asked Dissent for advice:
"Meanwhile, I appreciate it very much if you have any professional and valuable suggestions on our database security. We will optimize it step by step."
The timeline Hzone offered to Salted Hash via email doesn't match the disclosure timeline outlined by Dissent and Vickery. It also implies Dissent and Vickery altered the Hzone database, an act that both of them strongly deny.
On December 17, Robert sent another email to Salted Hash addressing follow-up questions. In it, he admits that the company didn't protect their user data, while avoiding a question asking about the previously mentioned protection measures that were added after the breach was mitigated.
At this point, it's unclear if user data is actually being protected. Robert again accused Dissent and Vickery of altering user data.
"Someone accessed our database and wrote to it to change most of our users' profile and removed their photos. I cannot tell who did it for some law concerned issue. But we keep the evidence and reserve the right to a lawsuit at any time.
"Hzone is just a small baby when facing to those hackers. However, we are trying the best to protect our members. We have to say sorry to our Hzone family members that we didn't keep their personal information safe. We have secured the database and we promise this will not happen again." – Justin Robert, CEO, Hzone (12-17-2015)
The statement also called those (including yours truly) in the media reporting on the data breach immoral, because we're hyping the issue.
However, it isn't hype. The information in this database could cause real harm to the users exposed. Given that the company didn't want the issue disclosed to begin with, the media were right to disclose the incident instead of allowing it to be covered up. If anything, the coverage might have helped alert users that they were – at one point – at risk. Based on his original statements, Robert didn't have any intention of notifying them.
Eventually, the company did place a notification on their homepage. However, the link to the notification is simply titled "Announcement" and it's part of the top-row of links; there is nothing stressing the urgency of the matter or drawing attention to it.
In fact, it's easily missed if one wasn't looking for it.
In addition to the breach, Hzone faced complaints form users who were not able to remove their profiles after using the app. The company now says that profiles can be removed if the user emails support.
Salted Hash shared the emails sent by Justin Robert with Dissent so that she had a chance to provide comment and reaction.
In an email, Dissent offered the following:
"So in one breath, Robert thanks DataBreaches.net for alerting them, and in the next, he threatens to sue me? Shooting the messenger is not part of a good incident response plan.
"But I am glad to see Robert now admit that they didn't begin working on securing the leak until December 13 - five days after Chris Vickery and I first began to try to reach them to secure the leaking database.
"People living with HIV face many challenges. Having to worry about their personal and financial information leaking or being available to criminals should not be among them.
"Hzone made a mistake in their security. If they had better contact information, they could have known sooner, secured the leak promptly, thanked the researcher, and moved forward after notifying their users. Instead, they have lashed out, made defamatory accusations, and issued threats."