Look the breach happened whatever, moving past that.
The response has left me a little dumbfounded here. You do not ASK your users to reset their passwords. You force a password reset for each account. Period.
You do not CHECK A BOX to log out of all sessions. When a password is changed on an account it should -always- terminate all active sessions using that password. These are normal security practices and the fact that sessions are not terminated after a password change is performed automatically is a vulnerability on its own in your systems.
Feel free to assign a CVE for that one and credit me on that while you’re in the process of fixing that please.
I’ve somehow avoided spam mail on my personal email for 18 years now, until this breach.
Each person can assess their risk accordingly, and decide if resetting their passwords are right for them. I get what your saying but for most people, the risk is really low to non-existent. Further, CVE’s don’t apply to security practices, so you could never be assigned a CVE for making recommendations on how a company should handle security practices.
Each person can assess how they want to handle their risk accordingly for sure, you do that. But when a large chunk of your database and subsequently credentials and PII is disclosed to a third-party it then becomes the responsibility of the vendor to mitigate that by whatever means necessary. This isn’t just some opinion that I have. These are the guidelines outlined by CIS and NIST.
Secondly:
I think you get the idea, but if you need anymore examples let me know, I’ve got a couple hundred more I can link.
