Reported to the third party before breakfast because well-known VC-backed ecommerce startups can't do security apparently and that stresses me out.
Hope they respond well to security reports, otherwise I will have to cancel my subscriptions.
Moments ago, exclusive footage from my desk:
Critical security vulnerability in a US-based website with 1 million+ accounts, 30-130k paying. No phone number. Multiple emails sent.
Patiently waiting since I have no other options.
Also realized they have EU customers, so they likely violated EU data breach reporting laws (72 hrs). Not sure if that applies to vulns allowing breach.
I'm finding it harder to trust their initial reply: "We take our customer's security very seriously and will investigate this thoroughly."
I've had to contact the last group of people I would prefer to contact in this situation: one of the company's VC investors (an org).
Luckily they are more responsive and reached out to the company, so hopefully the reporting process gets moving soon.
But still no progress.
Email said they will "fix the problem right away", which is not possible since I have not sent details. I was requesting a security contact.
Now to write up and submit the other... *counts* 8-12 (!!!) other vulnerabilities I've found on their website over the past few days, some also high-severity.
They reported their highest-severity issue was resolved, in a matter of hours. (I haven't fully verified yet.)
They now have the other vulnerability reports (7 so far, 9 total) so hopefully they can fix the more severe ones just as quickly.
That is how it should be handled from the very beginning.
Shouldn't take escalation to their CEO via an investor.
Now to wait for all of those to be fixed, and then move on to request disclosure to users, etc.
Enjoy your safer weekend, [Redacted Company] customers!
Thanks for the interest, everyone!
Until then, @troyhunt's Data Breach Disclosure 101 is a great read: troyhunt.com/data-breach-di…