Hacks Are Always Worse Than Reported: Nintendo's Breached Accounts Magically Double
from the whoopsie dept
One of these days, we writers at Techdirt will put our collective and enormous heads together, and come up with an actual proposed mathematical formula that should be applied whenever a company first announces a security or account breach, so that the public can calculate what that breach count will eventually end up being. The reason the world needs such a formula is because you can pretty much set your watch when a company announces such a breach that in the following weeks or months it will grow significantly. This happened with Equifax, with TJX, and even with our own vaunted federal government. But if we ever really did want to try to put some kind of formula together for measuring the underplaying of a breach on initial response, the historical breach that would probably brake such an algorithm would have to be Yahoo's email breach, which, in 2013, was the breach of a few hundred thousand email accounts, but in 2017 magically became all of the accounts. As in, literally all of them.
This severity progression is so routine that it should have a name for easy reference. I propose Geigner's Effect. I heard somewhere that if you write for this site long enough you get an effect named after you.
The most recent example of, ahem, Geigner's Effect (actually first proposed on this site by Mike Masnick, but he already has an Effect) is Nintendo, which near the start of the year announced that roughly 160k of its Nintendo Accounts had potentially been breached. In an update this week, Nintendo revised that number to nearly double the original amount.
Today, Nintendo announced another 140,000 or so more accounts may have been accessed. That means a total of around 300,000 accounts may have been breached. Nintendo pointed out in an update today that that’s less than one percent of all Nintendo Network ID users.
While that's true, it's also 200% of the amount that Nintendo originally said had been breached. And who knows what that number is going to be in another couple of weeks or months? It could stay the same, or it could be more Yahoo-esque and balloon significantly. Remember again, Yahoo revised its breach numbers on a nearly annual basis until it finally settled on "all the accounts." The public has no reason to trust companies on these numbers and every reason to dismiss the casual trotting out of seemingly comforting math by some PR goon.
So, we reiterate: when you see a report of a breach, know that it's always more severe than first reported. Until we have our formula ready for prime time, that's the best you can do.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: breach, data breach, geigner's effect
Companies: nintendo
Reader Comments
Subscribe: RSS
View by: Time | Thread
"But if we ever really did want to try to put some kind of formula together for measuring the underplaying of a breach on initial response, the historical breach that would probably brake such an algorithm would have to be Yahoo's email breach, which, in 2013, was the breach of a few hundred thousand email accounts, but in 2017 magically became all of the accounts. As in, literally all of them."
Please, I'm sure it's possible to reach more than 100%!
[ link to this | view in chronology ]
Re:
This is entirely true and i was thinking the same thing. Breaches of some entities may reveal not just all the accounts people have with them, but account information shared between "partner" entities as well.
[ link to this | view in chronology ]
break such an algorithm
[ link to this | view in chronology ]
Re:
With a little creativity, my way works too :)
[ link to this | view in chronology ]
Re: Re:
I read it, thought break, and then decided that yes, i could go with brake.
But i do think i would lean more toward Rule than Effect. Hell, it's pretty much a mandate on the reporting outfit's side.
[ link to this | view in chronology ]
formula:
presume "all". why bother with the middle man?
[ link to this | view in chronology ]
FTFY
But any more, does it really matter unless it's a medical or credit service? All of virtually everyone's data has already been breached multiple times. That horse has left the barn.
100% of Nintendo's accounts could have been breached and the net effect, because Nintendo doesn't have much in the way of sensitive information, will be zero. Apart from some class action suit that makes a few lawyers rich and does nothing for the victims, that is.
[ link to this | view in chronology ]
Re:
I don't think all the criminals have everyone's data. More salient is the fact that everyone should re-secure their accounts if they are still operable, and report them if they have been hijacked or used by another party.
[ link to this | view in chronology ]
Re: Re:
haveibeenpwned.com
[ link to this | view in chronology ]
Geigner's Effect?
<Smack!>
Silly boy! You don't get to define an effect and then slap your own name on it!
If an effect comes apparent and we remember you, that's when we coin a mnemomic.
Then, and only then, "The Geigner Effect" comes into use, and you won't own it.
</Smack!>
[ Besides, we're still waiting to see if you get dragged away by the Secret Police,
because that effect would be much more precisely measurable as well as memorable! ; ]
[ link to this | view in chronology ]
Re: Geigner's Effect?
I think "Yahoo Effect" is actually more apt. If it's to be named after the person who identified it then "Geigner's Law" would be better than "Geigner Effect". Or just assign it a new Internet Rule number, e.g. Rule 1572: A hacked database will always be hacked completely regardless of what the database owner says happened.
[ link to this | view in chronology ]
Re: Geigner's Effect?
Well, ok. I'll nominate "The security breach is always far worse than reported" as Geigner's corollary to murphy's law.
"Besides, we're still waiting to see if you get dragged away by the Secret Police..."
Eh, no, that's Hoover's law. Or possibly, to keep up with modern times, Cheney's. Or was that one "There's no crime waterboarding can't produce confessions to"?
[ link to this | view in chronology ]
Re: Re: Geigner's Effect?
Anti-crime legislation mobilizes racist fears in the white population.
It has been successful enough to undo many gains of the previous two
decades: to initiate preventive detention, undermine the jury system and put
into effect new mandatory death penalties. Two models are the special
police crackdown unit used in Detroit, called STRESS, which was
responsible for the murder of many Black people. Yes, that was 60 years ago, but THAT DOESN'T MATTER!
Not Any More!
https://www.capitolhillseattle.com/2020/06/welcome-to-free-capitol-hill-capitol-hill-autonomou s-zone-forms-around-emptied-east-precinct/
[ link to this | view in chronology ]
Re: Re: Re: Geigner's Effect?
Did you meant to post in a different thread, and perhaps as a root comment instead of reply?
[ link to this | view in chronology ]
I don't know why anyone would be surprised by this. Most corporations wouldn't report a breach at all if they weren't facing liability by not doing so. Since they do, the impetus is then to downplay the incident to avoid losing users, so they'll give a low ball estimate before the incident is investigated. They will then release the actual numbers after an investigation is completed, possibly delaying it as much as possible so that their users have forgotten about the breach by the time the full extent is known.
The only defense you have as a user is to assume that you have been compromised and take all actions necessary as if you have been affected. Even if you haven't, that's the best time to ensure you have all protections in place. If you're waiting for a press release from an actor that's incentivised to downplay what's happened, you're asking for trouble.
[ link to this | view in chronology ]
Trouble at Capital Hill Free Zone!
Trouble!
The real energy crisis is the crisis of imperialism. It is seen in a fight
over raw materials and resources, ft reflects the crisis in empire: declining
Western control over the economies of the Third World, increased
competition between capitalist countries, and growing stagnation arising
from contradictions within monopoly capitalism itself. The system is in
TROUBLE!.
Big Trouble!
https://www.reddit.com/r/MapPorn/comments/gzrxba/the_capital_hill_free_zone_currently_in_pl ace_in/
NOW WE ARE IN CHARGE!
(Will Grab deliver in this area? I'm hungry)
[ link to this | view in chronology ]
Re: Trouble at Capital Hill Free Zone!
Oh, i see, you are just posting randomly.
Feels bad. Can't take spam seriously. (Also, you are a little dramatically shouty.) Too bad, valid issues.
[ link to this | view in chronology ]
Free Capital Hill Autonomous Zone Statement about Capitalism
Few people really believe anymore in
the great civilizing leadership role of the US. Few still think that capitalism is
the best of all possible ways to meet the economic needs of the world's
peoples, or that Black and Third World people are sub-human labor material
destined to support the more worthwhile activities of white supermen. Few
really believe that men will go on indefinitely monopolizing power in a
supremacist anti-women society. Stated simply, our strategy is to base
ourselves on the trends of change, to revolutionize and push them on, and to
intervene in everything.
https://www.capitolhillseattle.com/2020/06/welcome-to-free-capitol-hill-capitol-hill-autonomous-zon e-forms-around-emptied-east-precinct/
[ link to this | view in chronology ]
Re: Free Capital Hill Autonomous Zone Statement about Capitalism
Not from Seattle and I support the BLM movement, but i have a Bachelor's degree in history and political science and I'm a gambling sorta guy. Anybody wanna take bets on how long this autonomous zone will last? Definitely shorter than Free Derry in Ireland, but how short?
Do these people have enough resources to sustain themselves? If not, do they have a supply line? Is there established leadership, or is it more like a commune? Do they have an ultimate goal or is this closer to "Occupy Wall street?" First aid is good, but do they have access to medicine and healthcare? Are they actually fighting the police, or are they intimidating them with their numbers? Are there any suspect groups you're gaining support from? (i.e. Nazis, ISIS, etc.)
And on the police side: Do you have support from the surrounding community? Are you planning a long siege, or a quick, hard push? Do the protesters have demands and are you able to meet those demands? Will the protesters actually leave after those demands are met? Are you in negotiations with the leadership, if there is any?
My initial guess, at BEST the protesters have one week for the cracks to show, 2 weeks they will have lost most of the area aside from one building. But that's if they don't have their shit together. Any other guesses?
[ link to this | view in chronology ]
Re: Re: Free Capital Hill Autonomous Zone Statement about Capita
"Are there any suspect groups you're gaining support from? (i.e. Nazis, ISIS, etc.)"
...or, lamentably it has to be asked if there's a chance the poster is just another Identity Evropa supremacist putting on a blackface act and putting up radical calls for insurgency in the name of Black Lives Matter?
After the recent spate of gaslighting the neo-nazi shitheaps have pulled there's an extra need to sanity-check anything which sounds inflammatory, lest it turn out to be Baghdad Bob just having been replaced by a slightly more skilled supremacy agitator.
[ link to this | view in chronology ]
you don't go around making up your own nickname
...therefore you don't get to propose a law named after you. Pretty sure it's Streissand effect, not Masnick effect :D
[ link to this | view in chronology ]
Try an Internet search on Masnick effect and see what comes up first :)
[ link to this | view in chronology ]
The only only way to be sure following a hack is for everyone to assume their account was among those compromised and act accordingly. As such, the safest assumption should alwas be "all the accounts."
Excuses like "less than one percent" are just useless fluff meant to make people feel good rather than helping re-secure their accounts.
[ link to this | view in chronology ]
Eponymous laws
I’m sorry, but what’s the Masnick Effect? Or are you talking about the Streisand Effect? If so, then it shouldn’t be Geigner’s Effect but something more like the Yahoo Effect or something.
[ link to this | view in chronology ]
such a shame it's Nintendo customers who are effected. if it were only Nintendo, given the way it treats it's customers and in particular, it's most ardent fans, i'd say 'fucking good job, hope it gets annihilated'!!
[ link to this | view in chronology ]
Damage control
There's already a name for what these companies are doing: damage control.
[ link to this | view in chronology ]