Calgarypuck Forums - The Unofficial Calgary Flames Fan Community - View Single Post

Krovikan · 01-06-2021, 07:18 AM

PII probably isn't the big concern if the data was leaked, most data people sign up with is public domain PII. You could associate a person's username with their real name, which could be a huge PII issue if they have posted their political beliefs, religious beliefs, gender identity, sexuality, request for advice on sensitive topics, etc. on the forum. For some users, not a big deal, in my case, it's easy to figure out who I am from my username for others this could have an impact. This assumes they signed up with a real name.

The bigger concern was the passwords leaked, a lot of non-technical users probably use a few passwords for everything. Forums are quite often a vector of attack for other more sensitive credentials like email, bank, etc. password. The main vector of attack on World of Warcraft accounts when I played the game was via 3rd party forums not associated with Blizzard.

There is another risk IP can be considered PII, and I would assume that the forum has IP tracking, so theoretically if the audit logs were exposed someone could trace someone's movements by the geolocation of the IP address. It isn't GPS level tracing; however, it can give you city data which could be an issue depending on the person. With secondary access (to the ISP's network) a malicious actor, could in theory utilize the IP address to track the person to houses or public access points.

(None of this is saying suggesting there was a breach, this could be a fishing email, just trying to lay out some of the personal risks I could see to CP's data being leaked if it happened.)

(I personally am changing my password just to be on the safe side)

01-06-2021, 07:18 AM	#11
Krovikan Powerplay Quarterback Join Date: Jan 2010 Exp:	PII probably isn't the big concern if the data was leaked, most data people sign up with is public domain PII. You could associate a person's username with their real name, which could be a huge PII issue if they have posted their political beliefs, religious beliefs, gender identity, sexuality, request for advice on sensitive topics, etc. on the forum. For some users, not a big deal, in my case, it's easy to figure out who I am from my username for others this could have an impact. This assumes they signed up with a real name. The bigger concern was the passwords leaked, a lot of non-technical users probably use a few passwords for everything. Forums are quite often a vector of attack for other more sensitive credentials like email, bank, etc. password. The main vector of attack on World of Warcraft accounts when I played the game was via 3rd party forums not associated with Blizzard. There is another risk IP can be considered PII, and I would assume that the forum has IP tracking, so theoretically if the audit logs were exposed someone could trace someone's movements by the geolocation of the IP address. It isn't GPS level tracing; however, it can give you city data which could be an issue depending on the person. With secondary access (to the ISP's network) a malicious actor, could in theory utilize the IP address to track the person to houses or public access points. (None of this is saying suggesting there was a breach, this could be a fishing email, just trying to lay out some of the personal risks I could see to CP's data being leaked if it happened.) (I personally am changing my password just to be on the safe side)