Comments on: Financial Exposure: Rudder Inadvertently Shows Users Each Other’s Bank Account Info

By: Setting Up DKIM and DomainKeys using DKIMProxy with Postfix in Ubuntu Hardy | PocketSmith

Wed, 12 Aug 2009 02:11:04 +0000

[...] all, Rudder had a security blunder after a dodgy DKIM install. SO JUST STAGE IT FIRST, OK? Seriously, don’t mess with the [...]

By: Web Apps: The here and now « Keross

Web Apps: The here and now « Keross — Tue, 26 May 2009 07:44:15 +0000

[...] requirement to protect user data from each other, not just from external sources. Check out Rudder, who recently managed to show users each others Bank Account info. The problem is much more complex than it [...]

By: Rudder: A Cautionary Tale « Where’s Our Money?

Rudder: A Cautionary Tale « Where’s Our Money? — Fri, 22 May 2009 15:34:19 +0000

[...] A recent security issue with the Web-based personal finance management (PFM) application called Rudder has served as a wake-up call to all service providers in the PFM industry and should serve as a cautionary tale for all consumers of these services. [...]

By: Celent Banking Blog » The Risks of PFM Revealed

Celent Banking Blog » The Risks of PFM Revealed — Thu, 21 May 2009 21:10:55 +0000

[...] blogosphere were ablaze yesterday with details of the breach. A good summary can be found on the TechCrunch blog. This is a serious blow to Rudder and the entire consumer direct PFM space. This is an inexcusable [...]

By: Rudder Emails User Financials to Wrong People | Personal Finance Software Reviews

Wed, 20 May 2009 20:49:09 +0000

[...] a large number of users the financial information of other people in their system. According to TechCrunch, one woman received around 300 emails containing the financials of other [...]

By: virus

virus — Wed, 20 May 2009 19:02:47 +0000

Uggggg, what a mess. This sort of computer mess really holds everyone back on adoption of online banking and other supposedly secure features.

By: Erick Schonfeld

Erick Schonfeld — Wed, 20 May 2009 16:28:54 +0000

Good catch. Now blanked out.

By: Niyi

Niyi — Wed, 20 May 2009 15:33:55 +0000

Dear Techcrunch,

Kindly blank out the email address of the first entry in the screenshot in this article.

You’ve inadvertently shown the whole world how much he has in his account.

Niyi

By: Niyi

Niyi — Wed, 20 May 2009 15:27:41 +0000

Twitter’s lack of HTTPS is a major problem.

There are so many people that don’t even realise that their password is transmitted in cleartext.

By: mp1

mp1 — Wed, 20 May 2009 14:21:54 +0000

I’m sure brendan doherty doesn’t appreicated that you failed to blank out his email address in your screen capture included in this article.

By: Ferodynamics

Ferodynamics — Wed, 20 May 2009 06:41:37 +0000

“instead of separating the emails, it appended them together,”

So was it Yahoo’s fault or not? Who did the appending?

I think the more important question is: Why trust Yahoo with your financial information, your identity, etc.

By: Rudder’s Financial Data Breach is NOT a SaaS Failure | CloudAve

Rudder’s Financial Data Breach is NOT a SaaS Failure | CloudAve — Wed, 20 May 2009 05:53:08 +0000

[...] Financial Exposure: Rudder Inadvertently Shows Users Each Other’s Bank Account Info Posted Under : Security Analysis Tags saas data security ibm mint financial services security breach rudder credit monitoring pr failure identity theft privacy breach Share this article: Permalink TrackBack No one has commented yet! Be the first one to comment! Your comment is awaiting moderation! [...]

By: Disaster

Disaster — Wed, 20 May 2009 05:27:00 +0000

This could bring a tons of lawsuits especially with personal information involved. I predict this site will not last long. Goodbye ……

By: Matt's mom-in-law

Matt's mom-in-law — Wed, 20 May 2009 04:30:43 +0000

Matt
Seems like you have a lot of time on your hands.
Do you spend all your time on techcrunch? You investors should be concerned as all you do is get your marketing spills here.

By: needmoney.com

needmoney.com — Wed, 20 May 2009 00:42:52 +0000

Wow. Epic fail.

By: Nikhil Roy

Nikhil Roy — Wed, 20 May 2009 00:38:59 +0000

Benji,

First of all, I’d like to sincerely apologize for the issue that caused multiple emails to be sent containing the financial updates of other Rudder users.

We have created a post which provides the details of what happened, along with our detailed response to the issue – http://rudderup...ate.tumblr.com/

I’d like to reiterate our apologies to those affected. Although nothing in the email would enable recipients to access bank accounts, withdraw funds or transfer money, our users’ peace of mind is of utmost importance to us. Therefore, we will provide affected users with a subscription to an Identity Theft Monitoring service, paid for by us.

Your trust and security is of utmost importance to us and we will go above and beyond the call of duty in every aspect of our business in order to regain your confidence.

By: swag

swag — Wed, 20 May 2009 00:37:03 +0000

My wife gags at the prospect of aggregators, such as mint.com, for this very reason.

By: Nikhil Roy

Nikhil Roy — Tue, 19 May 2009 23:48:54 +0000

This Nikhil Roy the Founder & CEO of Rudder.com

We at Rudder sincerely apologize for the issue that resulted in the financial updates of up to 732 of our users being sent to one another. We have identified the problem, assessed the full scope of the issue and have implemented measures to ensure that it will never happen again.

Although nothing in the email would enable recipients to access bank accounts, withdraw funds or transfer money, our users’ peace of mind is of utmost importance to us. Therefore, we will provide affected users with a subscription to an Identity Theft monitoring service, paid for by us.

In addition, we promise to work tirelessly, from here on out, to restore user confidence.

We have set up a hotline for concerned users to call – (877) 730 4914 extn 0.

Here’s a summary of what happened:
On May 18th, 2009 we made a change to our utility that generates custom email updates for each individual user. On the morning of May 19th, 2009, the first time the emails were sent out after the change, instead of sending out emails to each individual user, a bug in the utility caused it to append several email addresses together. The issue was detected early and subsequently all email communications were stopped. However, incorrect emails were sent to users whose email addresses started with either a number or the letters “a” or “b”. In total, emails were sent out for 732 users (less than 2% of Rudder’s user base). We’d like to reiterate that Rudder has “read only” access to your account balances and transactions. We do not store account credentials like user names, passwords, or your personal information like name, address or social security number.

To be clear this incident was not the result of a security breach, nor was any third-party hacker involved.

We greatly appreciate the generosity that the Rudder user community has shown us thus far, and for those of you who choose to continue managing your finances with us, we will go above and beyond the call of duty in every aspect of our business in order to regain your confidence.

Anyone who wishes to cancel their account and delete all associated data may do so here https://www.rud...r.com/settings/.

The online banking industry itself (including companies large and small) has been grappling very publicly with issues of security and privacy for many years.

More than anything, we hope that users do not let this incident discourage them from pursuing the benefits of managing their finances online, regardless of which provider they may use. Improving Americans’ financial health has been our mission since day one, and we continue to believe that this new generation of personal finance management applications, including Rudder, have the potential to change the world for the better.

Sincerely,
Nikhil Roy
Founder & CEO
Rudder.com

By: some dummy

some dummy — Tue, 19 May 2009 23:27:28 +0000

i remember logging into salesforce once and seeing someone else’s data (sales guy was good – he had cell phone #’s to the daughter of CEO of PG&E) but that was years ago

but this is why I don’t use these young companies just yet – want to see them last a few years then will be on board. Sorry Mint, et all, but having ID theft is a nightmare – takes years to unravel.

By: Jenn

Jenn — Tue, 19 May 2009 22:49:29 +0000

This is why I don’t use rudder, mint or any of those sites. Do you really want to trust your highly sensitive info with a startup? No thanks.

By: Adam

Adam — Tue, 19 May 2009 22:09:36 +0000

Only because it was designed wrong I guess, or was it designed to have a fail mode like this?
I guess no answer is valid, only that someone got it very very very very wrong.
Lets not even consider what access employee’s have and just how far would you trust those kind of developers who had designed it like that.

By: matt @ Thrive

matt @ Thrive — Tue, 19 May 2009 21:42:29 +0000

@Dave: No problem. I should have explained more fully – we’re just a data-driven company and we do extensive user testing as well, so I often don’t think twice about explaining why I use the data: it is just a standard part of helping build a better product for them. Thanks for the catch!

@Rob Silver: Nope. I’m actually speccing out a new feature (coming in late June!) at the moment, and keeping TechCrunch open in a side window to drop quick comments. Because I know that people are helped by personal finance sites (data is awesome), I wanted to make sure that one error by a single company didn’t cast doubt over a whole cluster of sites.

By: Rob Silver

Rob Silver — Tue, 19 May 2009 21:35:16 +0000

@matt Do you have the day off from work?

By: Chris

Chris — Tue, 19 May 2009 21:35:07 +0000

I wonder how many of those people Twittering about Rudder use the same password for Twitter (HTTP only, no HTTPS option even for login) as they do for Rudder?

By: Dave

Dave — Tue, 19 May 2009 21:32:14 +0000

Thanks, Matt. I knew the hawk-eyed would pick up on that.