Results 1 to 8 of 8

Thread: A salutory experience - WD MyCloud hacked

  1. #1
    Senior Member
    Join Date
    Aug 2016
    Posts
    3,927
    Thanks
    932
    Thanked
    970 times in 714 posts

    A salutory experience - WD MyCloud hacked

    Firstly, no, I don't have MyCloud. But I came across this story (on the WAN show and took a look at what happened. This post is partly a "this is interesting" for the crowd here, but partly for guests that find this via search engine and don't understand backing up.

    From what I can tell, WD MyCloud is a kind-of hybrid device that is a blend of a USB-type external drive box, a NAS and a cloud service. It seems to be a device that lets you store your data locally on the device (in 2TB and larger versions) but access it from multiple locations, on multiple devices (like phones) via a kind-of portal operated by WD. Which supposedly makes the whole thing easier, and safer because "experts" are managing/maintaing the portal.

    Until WD got hacked. Oops.

    At the time of writing, MyCloud has been down for about a week, and currently, there seems to be no timetable for when it might come back up. Also, "some data" has been lost, it seems, but it's unclear what, or even if it belongs to WD or customers.

    The real kick in the nuts? Despite user data being stored locally, on the hard disk in the MyCloud box, which is probably in the same room as the user physically is, or at worst on their own LAN, to access that data, you have to log in (and presumably authenticate) to WD MyCloud. And their portal is down.

    Yup, if I'm reading it right, users might be able to reach out and pick up the box containing their data, but can't access it because MyCloud is down. They're locked out of their own data. No doubt some of those users rely on that data to work, and earn their living.

    Most of us here are at least fairly clued up about IT, and I'm sure the gotcha inherent in this whole principle is evident from about the point I mentioned portals and log-in. But MyCloud isn't really aimed at IT people, but rather at consumers that want quick and easy solutions, but may well not see the risk involved in that gotcha.

    So provided they're using the MyCloud as a backup, meaning the data is actually on another device, like PC/laptop/iMac etc, and the copy on MyCloud is actually a backup, the situation is not too dire. But I've come across too many people over the years that hear of RAID, be it in a NAS, a standard PC or a server, and think that because it's on multiple drives in a RAID and there's redundancy, it's "backup up" just by storing it on that RAID device. No, it isn't.

    I even came across someone recently storing their PC data on an external USB drive, thinking that because it was on a device sold as backup, that it was backed up by storing it there, not on the PC/laptop. And yes, the external USB drive died. I can't even really blame the user. They thought they were backed up by copying onto that external drive? Well yes, provided you COPY it there, rather than storing it there in the first instance without keeping it on your PC as well., they you are, to a point.

    Hence the "salutory tale" bit in the title.

    I'm sure I'm preaching to the choir with our members here, but if your data matters to you, BACK IT UP CAREFULLY. If it REALLY matters, i.e. is important, irreplaceable and/or would cause significant loss if you can't recover it, you REALLY need a proper backup strategy, and to be prepared to pay for it.

    Consider the worst case. What are the implications of you losing some or all of your data? It might be annoying to lose your holiday pictures, but nowhere near as bad as losing your source of income or your business going bust.

    If you can't afford to back up everything thoroughly, at least back up the bits that would cause large financial loss, and probably anything of serious sentimental value .... like pictures of the kids growing up. This is one major disadvantage to taking all our pictures on digital cameras, whether in smart phones or not. At least in the past, we had negatives if we lost the prints.

    I'm not going to go into what constitutes a proper backup system. It's been done many times before, all over the web. Suffice it to say that if losing the data would hurt, back it up so that it is in at least THREE places. One might be your PC, laptop, iMac, phone or whatever but the other two must not be on the same physical device, or ... what if it gets lost or stolen?

    Ideally, one entire copy, of at least the really important data, should be in a different physical location. You might back up your PC to an external drive (that's the second copy), AND THEN to another such drive that is kept in your office, or at a relative's house, etc. Or, depending on how much of it there is, in cloud storage. But if the data is important, you need to diligently follow two main rules :-

    1) At least three copies, one of which is in a different location. And
    2) Keep it up to date.

    There is no point in having a backup if, when the time comes that you need it, it is hopelessly out of date.

    Personally, I use a system that largely runs automatically, not least because I'm a lazy git and if it relies on somethng causing me lots of inconvenience, I'll get lazy and it'll get out of date. So, I threw money at it. I use paid-for backup software (Macrium Reflect, but there are a number of good solutions, including some pretty good ones that are free). Almost everything backs up to a NAS, which in turn is then externally backed up.

    And critical files are then backed up to the cloud. But that raises another issue. Is your data at risk is someone gets hold of your backups? That probably depends what the data is, but suppose it includes your banking details, or private medical info that might mean you don't get a future job? And so on.

    So, encrypt everything. The cloud service I use is pretty reputable, and everything is encrypted before it gets uploaded, and is stored in encrypted form on that service in a way in which, I'm told, not even that cloud hosting company can decrypt it, because they do not hold the decryption keys. But for peace of mind, I encrypt the data MYSELF, separately, before it goes through the encryption process to upload and store it. Even if that hosting company lied and does hold the keys, or if someone breaks into them like they did to WD MyCloud, all they're going to get is data which is separately and thoroughly encrypted. i.e. everything I upload is double-encrypted.

    One final thought.

    Nothing, and I mean NOTHING that you store on a computer is or probably ever will be 100% safe. Even that double-encryption, while pretty damn secure for now, likely won't be in the event of quantum computers happening. And who knows what the future holds, or even what nation-state intelligence services like the CIA or NSA have today? Fortunately, I'm not too worried about the CIA wanting copies of my kid's pics or my medical files.

    So, if you don't want to risk losing it, BACK IT UP. And if you don't want to risk someone else getting hold of it, encrypt it properly.
    Last edited by Saracen999; 08-04-2023 at 05:55 PM. Reason: Typo
    A lesson learned from PeterB about dignity in adversity, so Peter, In Memorium, "Onwards and Upwards".

  2. Received thanks from:

    g8ina (09-04-2023),jimbouk (09-04-2023),Jonj1611 (08-04-2023),Percy1983 (08-04-2023)

  3. #2
    Senior Member
    Join Date
    Mar 2009
    Location
    Manchester
    Posts
    1,704
    Thanks
    53
    Thanked
    137 times in 106 posts
    • Percy1983's system
      • Motherboard:
      • Gigabyte x570 Aorus Pro
      • CPU:
      • AMD 5900x + Cooler Master Nepton 140XL
      • Memory:
      • 64GB (4x16GB ) Corsair Vengence 3200mhz @ 3600mhz CL16
      • Storage:
      • 1tb SP US75 Boot + Fast 4tb SP XS70 + Slow Raid 0 4tb (2tbx2) with 100gb NVME cache
      • Graphics card(s):
      • RX6800 16GB (XFX SWFT 319)
      • PSU:
      • 875w Thermaltake Toughpower XT
      • Case:
      • Thermaltake Level 10 GT Snow Edition
      • Operating System:
      • Windows 11 Pro 64bit
      • Monitor(s):
      • 24" Acer UHD x2
      • Internet:
      • Vodafone

    Re: A salutory experience - WD MyCloud hacked

    I will add bit rot is worth checking for I do yearly scans and there maybe one or 2 files corrupted.

    I told a friend about this and they said they are safe as the recopy everything every time they backup and they didn't believe me when I said you could end up copying a corrupted file over a good one.

    So my backups run by exception so just updates and new/deleted so files with sit for years wont be touched, as I have found bit rot has happened both on my internal hard drives and external backups. the good news is as I have 2 copies of most things and 3 copies of really important things the odds on bit rot happening to the same file in 2 or 3 places is very low.

  4. Received thanks from:

    Saracen999 (08-04-2023)

  5. #3
    root Member DanceswithUnix's Avatar
    Join Date
    Jan 2006
    Location
    In the middle of a core dump
    Posts
    12,994
    Thanks
    778
    Thanked
    1,567 times in 1,324 posts
    • DanceswithUnix's system
      • Motherboard:
      • Asus X470-PRO
      • CPU:
      • 5900X
      • Memory:
      • 32GB 3200MHz ECC
      • Storage:
      • 2TB Linux, 2TB Games (Win 10)
      • Graphics card(s):
      • Asus Strix RX Vega 56
      • PSU:
      • 650W Corsair TX
      • Case:
      • Antec 300
      • Operating System:
      • Fedora 39 + Win 10 Pro 64 (yuk)
      • Monitor(s):
      • Benq XL2730Z 1440p + Iiyama 27" 1440p
      • Internet:
      • Zen 900Mb/900Mb (CityFibre FttP)

    Re: A salutory experience - WD MyCloud hacked

    Quote Originally Posted by Percy1983 View Post
    I will add bit rot is worth checking for I do yearly scans and there maybe one or 2 files corrupted.
    Hos do you go about that then?

    Or do you just use ZFS and tell it to scrub the data occasionally?

  6. #4
    Senior Member
    Join Date
    Aug 2016
    Posts
    3,927
    Thanks
    932
    Thanked
    970 times in 714 posts

    Re: A salutory experience - WD MyCloud hacked

    Quote Originally Posted by DanceswithUnix View Post
    Hos do you go about that then?

    ...
    I guess you could do a checksum type calculation on (all the files in) folders, or even awhole drive? Then compare? SHA256 on 20TB might, ummmm .... take a while?

    No, I haven't tried it.
    A lesson learned from PeterB about dignity in adversity, so Peter, In Memorium, "Onwards and Upwards".

  7. #5
    Senior Member AGTDenton's Avatar
    Join Date
    Jun 2009
    Location
    Bracknell
    Posts
    2,742
    Thanks
    1,021
    Thanked
    841 times in 547 posts
    • AGTDenton's system
      • Motherboard:
      • MSI MEG X570S ACE MAX
      • CPU:
      • AMD 5950x
      • Memory:
      • 32GB Corsair something or the other
      • Storage:
      • 1x 512GB nvme, 1x 2TB nvme, 2x 8TB HDD
      • Graphics card(s):
      • ASUS 3080 Ti TuF
      • PSU:
      • Corsair RM850x
      • Case:
      • Fractal Design Torrent White
      • Operating System:
      • 11 Pro x64
      • Internet:
      • Fibre

    Re: A salutory experience - WD MyCloud hacked

    An update on this issue has been released. Appears the Online Store is the most affected in this breach.


    Quote Originally Posted by WD via BleepingComputer
    "Based on the investigation, we recently learned that, on or around March 26, 2023, an unauthorized party obtained a copy of a Western Digital database that contained limited personal information of our online store customers," Western Digital said.

    "The information included customer names, billing and shipping addresses, email addresses, and telephone numbers. As a security measure, the relevant database stored, in encrypted format, hashed passwords (which were salted) and partial credit card numbers."
    https://www.bleepingcomputer.com/new...h-cyberattack/

  8. #6
    Senior Member
    Join Date
    Aug 2016
    Posts
    3,927
    Thanks
    932
    Thanked
    970 times in 714 posts

    Re: A salutory experience - WD MyCloud hacked

    Not as bad as it could have been, though "partial" credit card numbers is a bit vague. I mean, all but one digit is still partial but not good news. I guess they probably mean "last four", as that seems to be common, and not too much of a risk. Still, if I were affected (wasn't) I'd still be changing my card, if I hadn't already done so.

    It does bring one thing to mind the less wary out there. When a site offers to "store" your payment details to make repeat transactions easier and more convenient, the safest answer is always to decline. They can leak (partially or not) what they didn't store in the first place. Even if they encrypt it, it won't help much IF they get compromised to the point where the keys are stolen too.

    A real cynic might, ahem, have a credit card with a VERY low credit limit for things like regular subscription charges, and auto top it up monthly, or do similar with a bank account kept at a very low, but sufficient balance and auto-feed that from a main account, and NEVER use the main account other than direct with the bank. Active precautions are, in my view, almost mandatory these days.
    A lesson learned from PeterB about dignity in adversity, so Peter, In Memorium, "Onwards and Upwards".

  9. #7
    Senior Member AGTDenton's Avatar
    Join Date
    Jun 2009
    Location
    Bracknell
    Posts
    2,742
    Thanks
    1,021
    Thanked
    841 times in 547 posts
    • AGTDenton's system
      • Motherboard:
      • MSI MEG X570S ACE MAX
      • CPU:
      • AMD 5950x
      • Memory:
      • 32GB Corsair something or the other
      • Storage:
      • 1x 512GB nvme, 1x 2TB nvme, 2x 8TB HDD
      • Graphics card(s):
      • ASUS 3080 Ti TuF
      • PSU:
      • Corsair RM850x
      • Case:
      • Fractal Design Torrent White
      • Operating System:
      • 11 Pro x64
      • Internet:
      • Fibre

    Re: A salutory experience - WD MyCloud hacked

    Quote Originally Posted by Saracen999 View Post
    I guess they probably mean "last four", as that seems to be common, and not too much of a risk.
    I believe it's determined by the card issuer. Sometimes I see 1st 2 and last 4, but most common is just the last 4.

    Quote Originally Posted by Saracen999 View Post
    It does bring one thing to mind the less wary out there. When a site offers to "store" your payment details to make repeat transactions easier and more convenient, the safest answer is always to decline. They can leak (partially or not) what they didn't store in the first place. Even if they encrypt it, it won't help much IF they get compromised to the point where the keys are stolen too.
    It's been a while since I stored my card details or 3rd party i.e. amazon pay or paypal, especially when using smaller companies that are likely to not be around for long.
    A few exceptions of course but less than a handful.

  10. #8
    Senior Member
    Join Date
    Aug 2016
    Posts
    3,927
    Thanks
    932
    Thanked
    970 times in 714 posts

    Re: A salutory experience - WD MyCloud hacked

    Quote Originally Posted by AGTDenton View Post
    I believe it's determined by the card issuer. Sometimes I see 1st 2 and last 4, but most common is just the last 4.


    It's been a while since I stored my card details or 3rd party i.e. amazon pay or paypal, especially when using smaller companies that are likely to not be around for long.
    A few exceptions of course but less than a handful.
    I guess it's somewhat usage dependent. If I was constantly buying, typing it in every time soon becomes a pain. But if it's occasional .... rather the minor hassle of typing it in and declining "storage" than the major hassle of risking dealing with fraud, ID theft or worse, both. As it is, for me, I don't use cards online enough for typing it in to be a pain.

    As a sidenote, the only way to be completely safe with our credit card details is to never, ever use them online. Or offline for that matter. So to be absolutely safe with the card, when you receive it .... cut it into small pieces, burn them entirely and seal the gloopy resulting mess in concrete and drop them dead-centre in the heart of an active volcano.

    Paranoid? Who? Me?
    A lesson learned from PeterB about dignity in adversity, so Peter, In Memorium, "Onwards and Upwards".

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •