So now those hackers can congratulate me on my birthday? Damn!
As far as I know, you can’t delete an annotation, just empty it and save it, so you would be the last to have edited that annotation.
I can’t say I have been receiving more spam, by the way.
EDIT: the blog post doesn’t mention reporting the leak to the Spanish data protection agency. I’m not sure of the legal status of MetaBrainz (US foundation, but very present in Spain at the moment) and the exact requirements, but you likely have to report it at a EU data protection agency.
We aren’t currently planning to send emails, because it would probably require hiring an external company to do so (since the amount of emails is large enough they’d probably blocked as spam), but if people feel strongly enough about us doing this, we will
We’re a California 501.c.3 non-profit; our spanish org is only for maintaining an office here and it literally named as such – its a “pass through” organization that shunts all matters that don’t related to the office in Spain, to the California org.
I’ve also examined the new California Consumer Privacy Act and it doesn’t apply to us nor do I see a stipulation about notifying anyone about the breach.
I think our disclosure is sufficient as far as the applicable laws are concerned. Our main concern is ensuring that our community is happy with our efforts.
No, I think those alerts are added only when a data dump is found our in the wild – in this case there is no comprehensive dump floating about. And clearly we cannot send the affected email addresses to anyone for notification purposes, that would be worse than the leak itself.
I’m no lawyer, but you do process data of EU citizens and through the foundation’s supporters and sponsors you are doing business in the EU. Wouldn’t it be better to be safe than sorry and at least contact your legal representation or the Spanish DPA to make sure you are in the clear? No offence, but thinking your disclosure is sufficient is probably not sufficient.
OK, I will upgrade my statement to “I am confident that we don’t need to report this to anyone.”
However, in an effort to not make it seem like I am blowing you off, I will pose this question to our board of directors so that they may chime in and have the last word on this. Stay tuned.
What I find particularly heinous about the leak itself is that it de-anonymized users. The Wikimedia Foundation takes anonymity very seriously, and I can’t imagine them treating such an issue with similar glibness. Honestly, this might be the end of my contributions to MetaBrainz projects.
Yes, and we’re very sorry about that. I don’t think we’re not taking it seriously, and as I did mention above, if people think we should be mailing everyone who could be affected and it will be useful rather than making them annoyed to receive the email, we will. I think the only difference is the understanding of whether a report is needed or not.
FWIW I did take the Spanish test @mfmeulenbelt linked to (which honestly was pretty confusingly written even for a native Spanish speaker ) and the automatic answer it gave me was basically “our system is not sure how to deal with this situation so we don’t know whether you should do anything, we guess you should probably let your users know, either contacting everyone directly or via a public notification if contacting everyone seems too complicated.” It felt like it was mostly meant for stuff like leaks of medical or financial data rather than emails and whatnot.
Hopefully you end up deciding to stay! But if you decide to go, thanks for all the good contributions in the meantime and sorry about the whole thing!
As an aside, given how un-seriously they took the whole issue with the copyright trolls we had a couple years ago, I don’t have a lot of trust on the WMF’s way of dealing with anything, to be honest (and I say this as someone in the board of a Wikimedia chapter), and my understanding is that a lot of users are unhappy with the WMF not taking them seriously for most things. But hopefully you’re right about that
Thanks for the transparent communication on this incident. As other users have hinted, I do think an email to all affected users would be necessary (unless you have evidence that your blog post has already reached them, which I guess would be difficult to prove). Even though the Foundation may not be bound by GDPR, as one of its effects users’ expectations in terms of disclosure are probably higher than they used to be. Also, even inactive users may want to take action as a result of the incident. Other users have already argued for reporting the incident to a DPA, which I would also strongly consider given the potential consequences.
I’d like MB to provide a timeline of how this played out.
When did it first appear likely that users’ emails had been exposed?
It appear users were first notified on 2020-11-23. Is this correct?
The exposing of users’ email addresses shows that MB had code running that could harm users.
Please include starting time, finishing time, and the priority given to any sweep of all MB code for other instances of potentially harmful code.
There has been a mistake that has significantly reduced my confidence in MB procedures.
How that mistake has been responded to by MB is what may, at least partially, redeem MB.
The blog post linked above has some details on this. Obviously It looks like the issue was introduced with a release on 2019-04-26 and fixed with a hotfix on November 22.
Thank you for the timely response and allowing this discussion on the topic. All opinions and concerns are valuable input. The more I read the forum, and listening to member input the greater appreciation and trust I have for ALL those involved. Mistakes happen even in the best environments, admittedly this is an interesting or puzzling one, but it has been fixed. I trust what else needs to be done will happen after careful review.
I am not familiar with this phrase, but a quick Google tells me something like " Stop acting like an idiot or talking rubbish". I’m sorry if I upset you, but I don’t think I was talking rubbish. I don’t know anything more about the issue myself except for what was written here or on the blog. I just tried to answer your question.
Mmmh, ok. I didn’t get this. I meant this more in a sense of “seemingly” or “as it looks like”, as the blog post does not talk explicitly about a time range. I think this is just me not being a native speaker. All good again
Question: I see people talking in other forum posts about how they can “Download a copy of the MB website to install on their own server”.
Can I get a confirmation that the leak would not be in that code? I assume those people with a clone of this website would not have our email and DoB data?
) and the automatic answer it gave me was basically “our system is not sure how to deal with this situation so we don’t know whether you should do anything, we guess you should probably let your users know, either contacting everyone directly or via a public notification if contacting everyone seems too complicated.” It felt like it was mostly meant for stuff like leaks of medical or financial data rather than emails and whatnot.