Microsoft denies data breach, theft of 30M customer accounts(bleepingcomputer.com) |
Microsoft denies data breach, theft of 30M customer accounts(bleepingcomputer.com) |
I think you can also simply unlink and sign out of the Microsoft account once logged in to effectively make it a local user, but your user folder is stuck using the username of the Microsoft account, which also gets cutoff after like 8 characters.
I abhor the whole process and it's annoying because there's no other way to create a local account during Windows 11 setup on e.g., a laptop because it knows that the wifi module works and will not let you progress unless you connect to the internet. I tried unplugging my modem and connecting to my internet-less router, but it still refused to progress because it didn't have internet access.
Don't even get me started on the other dark patterns once you actually have a local user setup, like being pushed through part of the OOTB Windows setup again after a major feature update asking you to login into a Microsoft account and making sure you still want all the (user accessible) telemetry off.
The worst part is that I actually like Windows 11 and some of the new features like the tiling layouts when hovering over the maximize button on a window, the new default terminal program, etc. But, the whole thing is entirely soured by dark patterns like the aforementioned forceful use of a Microsoft account, all the extra Edge and Bing crap being shoved down my throat, the poor web-first Windows search, widgets just basically being an MSN feed, Teams starting at login by default on a new install, random apps and games being advertised in the start menu on a new install, etc.
Is the spell to just make local account on Professional Edition.
If you have Home Edition, you have to do use the "no network" option in the OOTB setup.
Pulling the ethernet plug to get a local account doesn't even work anymore. The only trick I know still works is to give it a fake account (like test@test.com).
I've always been installing Pro versions and I've never been forced to use MS account
We started landing new customers like crazy and in a few months got to 1,000 monthly paying customers. Same products.
Apple has known this since they were founded.
This whole thing seems a bit fishy.
This is possibly from some other breach and nothing to do with MS
So I'm inclined to say that they have had a breach.
"We have seen no evidence that customer data has been accessed or compromised." -
https://msrc.microsoft.com/blog/2023/06/microsoft-response-t...
There you go, this news article is the evidence of intrusion + data breach
The Microsoft password is one I couldn’t just copy paste from a password manager and now I have to change and relearn it.
Damnit.
A database containing passwords? Why would anyone store passwords in a database is beyond my comprehension.
Media coverage tends not to get the distinction right, so it's always hard to tell if the company fucked up or the attacker is exaggerating on early coverage.
If microsofts centralization allowed for a attack vector to take down the whole western hemispheres productivity for a week - could the resulting rage destroy the monopolies?
So they have been breached. Ok.
"Hacking groups" have tried this tied of scam in the past where they try and hotglue some data from various sources and claim its a bigger leak.
This is totally ass-backwards. There is negative incentive to do any investigation. A investigation can basically only make things worse as you get to assume no harm when you are ignorant.
They should be required to disclose the worst with only a thorough investigation demonstrating a credible absence of compromise allowing a positive statement.
This incentivizes investigation and properly errs on the side of the victim when assessing risks.
If this is what the company anticipates they will have to investigate and disclose.
It the breach is a foreign government or hush-hush data hoarder or the result of plain incompetence, the company can absolutely ignore the problem.
You'd be requiring companies to speculate on the outer bounds of something that is simply not knowable.
> "We have seen no evidence that customer data has been accessed or compromised."
I think they are sincere here. I too have seen windows machines being compromised and the system, with the latest certified antivirus, run hapilly. /s
The followup question to those kind of statements should always be "do you have any evidence that your accounts are not compromised?"
I.e. absence of evidence is not evidence of absence.
what proof would you propose that you be shown? how do you prove something didn't happen?
The consequences to a company only manifest when noise is being made with proof. That is totally ridiculous.
I do not trust corporations, so I generally do not do things like biometrics and stuff.
I don’t completely understand how pins are more secure than my complex password either. That could be ignorance.
In short: even then, storing plaintext passwords seems... like choosing convenience for security, and that seems very wrong.
Until a more detailed investigation/write comes out it's difficult to say for certain what they have, if anything.
Admittedly, they do heavily suggesting connecting an iCloud account.
Sucks to be them, but then they have a very strong incentive to quickly begin investigation and triage so that they can quickly identify who is actually at risk.
It is ridiculous to sacrifice the victims by keeping them ignorant of the risks they are facing so that the company can save face. They should not be allowed to blindly speculate that everything is perfectly fine which is simply not knowable without a investigation.
What's the burden of proof to confirm that the first sentence in your quote is correct? (Can I just claim to have breached some company and have the law compel them to issue that quote?)
You're frustrated that companies are issuing information-free notices today; your proposal appears to make them issue information-free notices tomorrow.
Your complaint that the situation will just turn into everybody acknowledging that they are hopelessly insecure is a far better situation than now where everybody lies by claiming that they are secure. It results in the acknowledgement of breaches and the acceptance of liability that would be helpful for future legislation that can actually apply penaltys for delivering products that are defective with respect to security.
I don't think anyone would have to claim to have breached the company in question.
Just the act of asking the question would compel any company to have to respond "Yes, we have been breached."
so as a user, just assume this at all times, then. just assume that all of your accounts are hacked or will be in 10 minutes and don't put anything in them that you would not be ok with others knowing. I don't see the difference between just assuming they're all compromised and waiting for a company to tell you that your account may be compromised and that they'll tell you more in 2 years once the investigation is fully completed and everything is known.
Keeps in mind these hackers are the ones saying they have passwords and this is Microsoft. Most likely hashes.
There's a reason IEEE says it's best practice to give IoT devices a strong username and password and to segment them away from the rest of your network, right?
Or is it that you're so concerned with experiencing specific games which will come out only for windows that you're willing to suffer that he'll?
Because really... Your comment makes you seem irrationally attached to windows only games....
Regardless, I mentioned other software besides video games and there's more besides what I listed. I've already gone through the process of making Windows less of a nightmare that it's not a problem for me right now. So no, I don't think it's irrational, regardless of video games, to go through the headache of dealing with Linux distros right now, which I've done plenty of in the past and is its own hell that I'd have to suffer.
The whole point of hashing passwords is so if the DB containing them is breached the passwords are not compromised.