Most active commenters

    ←back to thread

    Klarna users are being signed in to random accounts

    (twitter.com)
    475 points danielstocks | 13 comments | 27 May 21 10:28 UTC | HN request time: 0.202s | source | bottom
    1. hundchenkatze ◴[27 May 21 14:58 UTC] No.27303915[source]
    Klarna has posted a statement here https://www.klarna.com/uk/blog/written-statement-on-app-bug/
    replies(4): >>27304303 #>>27304317 #>>27304383 #>>27305164 #
    2. dvaun ◴[27 May 21 15:33 UTC] No.27304303[source]
    In their statement they deny accessing bank details:

    > The bug led to random user data being exposed to the wrong user when accessing our user interfaces. It is important to note that the access to data has been entirely random and not showing any data containing card or bank details (obfuscated data was visible). This means that it has been impossible to access a specific user’s data.

    This is not the experience of the user in the OP: https://twitter.com/esraefe/status/1397843949985931265

    replies(1): >>27304472 #
    3. _nnv7 ◴[27 May 21 15:34 UTC] No.27304317[source]
    They mentioned human error. I could feel bad for the human who error-ed, but I wonder what kind of human error could have this huge impact.

    It could be something to do with cache configuration.

    4. arthur_sav ◴[27 May 21 15:40 UTC] No.27304383[source]
    > It’s concluded that a human error caused the bug

    I would not want to be that "human" atm

    replies(3): >>27304552 #>>27304787 #>>27313049 #
    5. hbosch ◴[27 May 21 15:47 UTC] No.27304472[source]
    I believe it is the case, that when you see your stored payment method is is obfuscated such that it only reveals the last 4-5 digits. Same with bank details as far as I know.

    However, showing the card issuer/bank + the final 4 or 5 digits of an account or card number is still extremely distressing. There are some services and vectors out there that can be engineered with just that information for sure.

    Combine that with possibly exposed address, telephone number, and you are in very dangerous territory.

    replies(1): >>27304998 #
    6. stadium ◴[27 May 21 15:57 UTC] No.27304552[source]
    A good practice is that once a change passes code review and ships, the team owns it.

    Human error doesn't mean blame the human, it's better to look at the overall processes and system to figure out how to prevent human error the next time around.

    7. sorenjan ◴[27 May 21 16:16 UTC] No.27304787[source]
    Reminds me of this story after an expensive mistake:

    > Boss - "Why do you think you are here, Jack?"

    > JW - "I expect I am here so you can fire me"

    > Boss - "I just spent a million dollars on your education - why would I fire you now?"

    http://www.nickmilton.com/2016/03/jack-welch-on-learning-fro...

    replies(2): >>27311377 #>>27312934 #
    8. shkkmo ◴[27 May 21 16:34 UTC] No.27304998{3}[source]
    It might be accurate if you are internally discussing PCI compliance.

    However, to the layperson, "bank details" definitely includes name of bank and last 4 digits of account number. It does come across as deceptive to use that terminology to respond to customer complaints.

    9. hatchnyc ◴[27 May 21 16:51 UTC] No.27305164[source]
    > affected up to 0.1%, approximately 90 000, of our users

    Does this mean the bug affected .1% of accounts or that only .1% logged in during the 31 minute window when the bug was present?

    10. PebblesRox ◴[28 May 21 03:19 UTC] No.27311377{3}[source]
    Yesterday's Money Stuff has a good discussion in this vein:

    "A somewhat tongue-in-cheek but surprisingly useful maxim of high finance is that it is good for your career if you lose a billion dollars. I mean, if you lose a billion dollars for your employer you will probably be fired, though that depends on who your employer is and how much money you started with and what you did to lose it. But lots of other employers will be excited to hire you, once they learn that you lost a billion dollars for someone else."

    https://www.bloomberg.com/opinion/articles/2021-05-26/exxon-...

    replies(1): >>27313263 #
    11. boruto ◴[28 May 21 08:14 UTC] No.27312934{3}[source]
    That is definitely not the case in EU software industry. I have seen technical leads get fired for a bug which caused 200k EUR loss. With team setups and documentation no one is irreplaceable.
    12. rorykoehler ◴[28 May 21 08:36 UTC] No.27313049[source]
    Almost certainly isn't a single human unless their governance model is atrocious
    13. ALittleLight ◴[28 May 21 09:16 UTC] No.27313263{4}[source]
    There is a Dilbert comic about this.

    https://dilbert.com/strip/1995-12-23