The ONLY times I’ve ever had to verify my name/age/birthdate was on vape related web sites when I wanted to purchase something…
** This has now come to bite me (and possibly YOU) in the ASS.**
Normally, I don’t put any “personally identifiable data” on the internet, but a web based user verifier company has been hacked… because they are/were stupid in how they stored their data. I usually don’t worry about hacks, but after all the hacks and data theft on the internet, you would think a company that was storing data about YOU would have their shit together and have it locked away and actually “difficult” to hack into, but NOT like this…
And it seems verifications.io was caught with their pants down, and they had a database open to the world with no passwords… that contained personally identifiable information about YOU.
I don’t know if I should be all that concerned, but now there’s even more personal data out there. I’m not that concerned, because I’m poor and have no money, but just really, really pissed off that a company had no idea what a “secure” infrastructure consists of… I’m not a data security guy, but even I know not to do what they did…
Here's a cut/paste from their email:
An email on a domain you’re monitoring has been pwned
You signed up for notifications when emails on [XXXXXXXXXXX] were pwned in a data breach and unfortunately, it’s happened. Here’s what’s known about the breach:
Dates of birth, Email addresses, Employers, Genders, Geographic locations, IP addresses, Job titles, Names, Phone numbers, Physical addresses
In February 2019, the email address validation service verifications.io suffered a data breach. Discovered by Bob Diachenko and Vinny Troia, the breach was due to the data being stored in a MongoDB instance left publicly facing without a password and resulted in 763 million unique email addresses being exposed. Many records within the data also included additional personal attributes such as names, phone numbers, IP addresses, dates of birth and genders. No passwords were included in the data.
I don’t think this kind of information can do a lot of harm. You can find this information online. Most people happily broadcast this to the entire globe but even when they don’t, it’s all searchable.
It’s your personal ID and creditcard numbers you have to worry about, they didn’t get any of that, and…
So you’ll be fine
Personally I’ve never been asked for verification of anything and I would most likely move on and buy somewhere else if they ever did.
Hell, I don’t even use the Cloud cause I’m not really convinced they are able to keep my personal data secure
Sorry to hear it @DaveDave. Only verification I will abide are simple calendar checks or a yes/no when first arriving at the site. I have not and will not do third party verification of any kind. There are too many sites I can find stuff on to have to use one of them. I’m always leery of using PII (that personally identifiable information) because there are so many out there dying to get hold of it.
I have used such sites. I send them a photo of my drivers license with everything blurred out except my name and birth date. They have all accepted it with no question. If I google search my name, far more detailed information is already available mostly from public records such as owning a home, divorce, business, etc…
I have not been loose with my information in the past, it was already available before the internet was a thing. If I search my name on Zabasearch or Spokeo, they will list my age, all my past addresses, siblings, parents, ex-wives and phone numbers.
The state I live in is so backwards and corrupt anyways, I figure my info has already been pilfered. It seems like every few years they bust rings of DMV employees stealing info and selling fake licenses. Now, if you are under the radar and you don’t show up in any or all searches, and wish to remain so, by all means protect it well.
If you have a bank account, a credit card, a mortgage, car loan, whatever… Even if you have never been online once in your life, your information is still out there. Because obviously every business and government entity stores their data electronically, and rarely is it air-gapped. No one can hide unless they were born in a cave and live in one forever with no connection to the world. An un-person, as it were.
You are correct. I am not attempting to minimize the situation or say that since you are already known to the world that you should just give out your info willy nilly. I am not giving these vape sellers any info that they couldn’t verify with a simple google search, and in my case its often because I have different shipping and billing addresses. When I send a copy of my license, it only shows that my name and age are correct. No address, no license number, no photo, no ID number, no weight, height or eye color. Protect your info all the time
I’ve never been asked to send/upload a copy of my drivers license before, and I wouldn’t send it even if asked – especially to a vape “store” – if they use an age verification service, ok, but not Joe Blow, at a vape store.
The “service” just asked for, IIRC, name, email and DOB. If you entered a fake DOB, the email address you used is blocked (I tried!). That’s why they got a second or third email, because I had to try again with a different email address.
So they already have your info, they’re just confirming that “you are you”.
These damned repositories (aka: private companies) of OUR info should know better by now ! Instead of an apology and a slap on the wrist, their penalty/fine should be large enough that they would want to secure that info at all times.
Its very frustrating that so much of our information is out there and freely shared. Its never safe. A dedicated hacker could get it if they wanted to if they haven’t already. On the other side of it, we would be pissed if they didn’t make an attempt to verify and someone made a fraudulent purchase on your credit card. The drivers license thing is equally silly. I am not all that skilled with photo editing, but could whip up a picture of a fake in a few minutes. I have only sent my license picture to three vape stores. All well known and been around for a long time. That doesn’t mean their info is protected or that they don’t have a crooked employee that will steal it. I had a feeling they were only verifying rather than using it as a primary source of ID. I am more concerned about the credit card information I give them than my blurred out license. I agree that if a company stores your info, there should be real and substantial penalties for letting someone steal it.
I know that once I bought from a vendor that uses shopify, my info is linked to any other vendors that also use it. Its convenient but also scary. Sadly its the price we pay for instant gratification. We could go back to the old way of seeing something in a catalog, sending a check or money order with the order form via snail mail and maybe get the item 6 weeks later. Sometimes its like “Ohhhhhhh look at that shiny new RTA… I must have it”
I’m conflicted about that, a little. First off, who says Google searches are 100% trustworthy. A kid or identity thief could easily upload crap profile stuff that would be crawled and available via search. Secondly, any store that sells online should have to verify that a buyer is sincere— if it applies to vaping, it should apply to everything. You can’t get a credit card in your name if you are not at least 18 (AFAIK anyway), so it’s the responsibility of the seller only to verify the shipping address matches the CC address, or make a reasonable effort to learn why it is different. I do not feel a seller should have to verify identity. Making vape sites do it is just sour grapes and vindictive.
As far as verification goes… Amazon is a great example of lax requirements. All someone needs is my Amazon password, and they can buy anything they want and ship it anywhere they want, no questions. They store CC info and even let you ‘one click order’. And you can send it anywhere. It’s a convenience thing and I like it for sending stuff to friends and family to save me the extra shipping cost and hassle. But it’s a blank check for anyone who can breach your creds. So poo on vape site verification garbage. Symptom of a hateful, spiteful, over-reaching government.
Its all stupid as far as I am concerned. Usually for me it comes down to how much I want an item, is the vendor reputable and how much I want an item? Did I repeat myself? Probably. Oooohhh USPS says my package is in the mailbox! What? Oh right.
I agree with everything you said. Paypal is similar in that I can send to other addresses. Add to the frustration for online vape stores that states have different legal ages for vaping and if they sent stuff to an 18 year old here in CA and got caught, they would probably have to pay dearly. I don’t like any form of government being involved in much of anything, I also don’t want my favorite vendors getting in trouble and going out of business.
Preach the truth my brother! I consider myself a believer in the constitution rather than belonging to any political party. Radical, I know. We have allowed everything to stray so far off course, its crazy.
Funny though… having lived the life online and living out here in the sticks… I kinda like the thought of disappearing. Off the grid, as it were. Feels like it; I get no pizza delivery out here. Almost 18 years since I answered the door to a pizza pie delivery guy.