Post your tech glitches, errors, issues, etc. here.

Anonymous

Mods,

There's someone cross-posting a ridiculously large number of mainly months-old articles as "breaking" research essentially flooding the forum. This nonsense is aggravating my headache.

Please answer why BCO ignored multiple notifications of a data breach for over 5 months.

Thanks in advance!

Rah2464

I saw that as well serenitystat. It is illogical and gets in the way of people that are ill or who are scared that they may be ill to communicate to current members.

I do think the lack of response to notification of security breaches is extremely disappointing and frankly concerning. The absolute lack of communication and response about the issue is very telling. It is getting harder and harder to continue to try and support these boards. And I dearly want to, they were a lifeline when I was first diagnosed and I want to pay that support forward if I can. I am at a loss how to engage the BCO leadership at this point.

Spookiesmom

🎶🎶🎶la la la la🎶🎶🎶🎶

Bco

Kikomoon

what's up with mods posting all over the place 2 hours ago but not addressing any issues on this site

Anonymous

rah - I went back 15 pages out of 20+ to unearth 2 posts that got buried by the mods. 😡 I don’t know how to reach BCO, but I’ll keep trying.

spookiesmom - 🤣🤣🤣

Anonymous

kikomoon - Well, BCO will never tell. Could be to push the glitches thread from page 1, add multiple pages to show posting activity, or increase views on the articles they posted (to me the titles only made me think “Duh!").

If they want to distract us, they could make the site easier to read/navigate and fix the user profile. 🤭🙄🙃

ceanna

Wow! I was gone for a few hours and now the mods have posted at least two dozen new threads. What--to divert our attention or inflate their numbers of active threads!?? it's all about tracking and numbers for donors! I don't intend to click on any of those suggested resources!

The Mods need to stop reading their scripts from BCO and stand up and say no more deception. If it is illegal to not notify members of a security breach, BCO needs to come clean with us now.

We've just been spinning our wheels here for over 10 weeks trying to identify and "fix" all the tech problems, which now seem like more deflection from the real security breach problem.

I hope all of us on active threads will cut and paste the paragraph from IT Canada I posted on this thread a few hours ago (page 368) to their favorite threads to inform those who don't visit this thread of the security breach since BCO is not.

Thanks for all who are reporting the breach to PA state office. And thanks, SerenityStat for the suggestions for filing.

Moderators

Dear Community Members:

During the last few days, much has been written about Breastcancer.org and a misconfigured s3 bucket. Unfortunately, there have been conflicting reports about this situation. We want to be sure that our community has the correct information, so in addition to the emails we have sent, we have separated fact from fiction below.

The information shared on our site is stored in "buckets" – like file cabinets – in the cloud. We recently learned that a bucket containing member-uploaded images and avatars was configured in such a way that someone could theoretically access it and look at the images inside. When we learned of this, we restricted all access to the bucket, including temporarily restricting the access of our registered users thereby blocking anyone from viewing the images. We also engaged a team of third-party experts to investigate. We expect that investigation to be complete soon. We are finalizing steps to prevent public access to the bucket and expect our registered users to regain access to the images today.

We want to emphasize that any statements that Breastcancer.org has experienced a "data breach" are inaccurate. As are reports that Breastcancer.org was sharing medical records; we did not and do not share any medical records or patient information without your consent. While someone could have viewed the images stored in the bucket one-by-one and determined information such as the longitude and latitude coordinates from when those images were taken, we do not have any information to suggest that anyone did so.

We apologize for the inconvenience and concern that this situation has caused some of you. The security of your information remains a priority for us.

Beesie

Mods, we understand. It was a possible / potential data breach due to the fact that the data was not secure. We can't know if the data was actually breached or not. Got it.

How does BCO explain knowing about this for 5 months before taking action? How do you explain not honestly explaining this to discussion board members when you sent out the email restricting access to pictures? The facts are the facts, aren't they?

wrenn

It boggles the mind to see how stupid you think we all are after all of the intelligent postings above. But I guess the exasperation is a good distraction for me from the sadness at the loss.

Makes me nauseous frankly.

Anonymous

1. Define "recently". When did you first learn of notifications sent to various BCO contacts over the past 5 months?
2. White hats were able to get a count of registered users and image files. They “breached" the flimsy security to get to our “data". They even described some images of medical tests.
3. A few users have been able to post images already , and I've seen years old images in an old post. Your bucket is still leaky making me unsure of the tech team you've hired.
4. Seriously?

MinusTwo

Interesting Mods - thanks for at least responding. I'll have to read again, digest and think about your post.

I don't read or post on ANY social media sites except BCO. NONE!!! I am hyper security conscious. Some years ago I asked my son to change my personal computer high security parameters so I could get images & memes on BCO. He wasn't happy about doing it, but he did. So for many years I checked in here every day. I made lots of friends that I really care about. I met a number of those people in person as I traveled around the country before COVID. I honestly tried to answer questions every day from people who were newly diagnosed & confused or hurting. I kept my diagnosis to the 'signature' line when the program was changed some years ago to allow for the HUGE long, complicated diagnosis section.

My take at this point - BCO has no business soliciting medical records - and never did.

I am not even going to look at 'my profile' at this point - since even opening those records may cause inappropriate changes.

I will never join a BCO ZOOM meeting, although I have become quite prolific at them in the last few years. I like to read & think about what people say before responding. But it appears that BCO is really pushing this. Is that true???

So my problem is - I loved talking to members on this site. Now I read just a few threads and limit my posts to even fewer threads. I don't think I'm alone. Most of us are frustrated and running scared. Many of the people I cared about have dropped out. I'm not about to go to 'active threads' to see the disasters that have been created - while I used to go there every day - again to try to pay it forward.

Wishing you the best - but I can't imagine how you can resurrect the discussion boards. I miss my 'safe place' and my 'sisters'.

MinusTwo

Oh for crying out loud MODS - no way to log out again, Can't get to 'my profile' or the option to log out. URGH

Edited to say - we don't need "trusted guidance". We need a place to LOG OUT!!!!!!!!!!!!!!!!

Beesie

WooHoo! And now I can't sign out again! I would post a picture of screenshot of where I'm stuck, but of course I can't post a screenshot. It's the same issue as last week. I click to move to the logout page, the page appears to load, but nothing happens. I tried about a 1/2 dozen times. Finally came back here to post.

And now I will shut down this private browsing page on my iPad so that I am hopefully logged off, since there seems to be no way to log out on the site itself.

Gee, we've asked for a clear logout button, haven't we?

Moderators

Hi minustwo.

We are sorry for the frustration. If you look at the top right hand side of the webpage there should be a grey button with the first initial of your username (in your case an M). Once you click on this it will take you to your profile. Once you are on your profile, on the left hand side is a vertical menu bar. At the bottom there will be the words, "sign out". If you click on this it should sign you right out. Please let us know if this is still not working for you and we will try our best to address the issue.

We hope this helps.

--The Mods

ceanna

Mods, thank you for finally responding to one issue. This is information BCO "leadership" should have given to us 5 months ago, but, frankly, I'm not trusting what you are saying. The fact that a data security organization could access the bucket and tell us what's in it is itself the breach. Who knows how many others found the same path before BCO worked to restrict access since you didn't seem to respond to the warning for months. Your definition of breach does not match reality. BCO private files were breached. Period. Your 5 month delay and explanation is a lot too late! It's going to take a long time, if ever, if members trust again once you finally get this mess cleaned up.

Beesie

Mods, thank you for describing the page that is not loading. The process you describe is what I usually do to sign out. I'm sure it's what MinusTwo does too. How else do you think we've been signing out at other times?

What you describe is exactly what is not currently working. When I click on my initial, I get to my profile. When I click the vertical menu bar, the page does not load.

Got it?

Anonymous

Mods,

Please explain how some users are able to post images while most everyone else is restricted? Is the image bucket truly locked down and these users are loading their images elsewhere? This should be investigated to be sure the bucket is secure. Right now there’s a hole in your bucket, dear mods.

Anonymous

Mods,

The best way to address the missing Sign Out button is to place it back at the top of the page next to the Login button. Toggle between them based on login status.

kathindc

Mods, BCO just recently learned of the problem. Really! I don't consider five months recent. Do you actually think we are buying that when we know you ignored these many warnings? Do we have stupid flashing in neon lights on our foreheads? I think not! The way you have answered or not addressed some serious questions about the changes made, glitches and the unsecured bucket is an insult. Shame on you!

Anonymous

Mods,

I see that you've added your post on the data breach to the Announcements. Until now I hadn't read the article from the Safety Detectives that found your image bucket completely unsecured.

You say that the images could be theoretically accessed, yet they actually downloaded a few of our images, obscured faces, and placed them in their report. They proved that images shared through private messages were exposed. For months they tried to contact you privately about the unsecured data. If you had responded, they would not have had to publish this report.

https://www.safetydetectives.com/news/breastcancer-leak-report/

Who should we trust?

Anonymous

I have had to configure security in different places, but not in AWS. In all of them, leaving security settings at the default is never an option. Your tech team misses too much.

ceanna

Serenity, thanks for sharing that latest article. It is so awful that members' pictures and avatars were accessed and even though the security organization blurred the faces, some will probably be able to identify certain members or family members. What's even more frightening is that the security firm was able to create two new BCO accounts and share pictures between these two accounts in private messaging. These images were later also found in the same unsecured "bucket" that they breached multiple times. Obviously, this firm was in and out of unsecured BCO files for quite some time to demonstrate this and find that our PMs were not secure either, yet BCO took no notice of the warnings and breach until recently. Trying to explain it away today in the new announcement doesn't work. Take responsibility, be accountable, and tell us honestly what you are doing. You seem to want to divert from the seriousness and legal aspects of this breach.

Here's a paragraph from the article serenity posted above:

We decided to test whether post images were uploaded from public posts or private messages. We created two breastcancer.org accounts and sent an image from one account to the other. The image we sent later appeared in the bucket, confirming our suspicion that private images were exposed.

celia088

I have been and still am really horrified and completely disgusted by the current state of this website, and ESPECIALLY by the situation of the security breach, including the outrageous 5 MONTH DELAY of the mods and owners of this site in not NOTIFYING us about this SERIOUS mess and not responding to inquiries from security watchdog sites. This is egregious behavior on the part of the owners and mods of BCO.org. I have trusted this site since i was diagnosed 18 years ago and i am shocked by all of this crap. I read the last post of the mods that downplayed the seriousness of the breach and insisted that they were going to tell us the real facts and not the misinformation they claimed that was out there. That post from the mods was not really believable to me. It sounded to me like a very hollow, non-truthful excuse, (i.e., "fake"). I think they have completely ruined the reputation, reliability, and future of BCO.org for good.

Thanks to all the members on this thread who have made technical suggestions and given us good explanations of what is going on, and kept researching the problems and delivered the news of the breach that the mods themselves would not tell us about.

Anonymous

It was their post about separating fact from fiction that made me go back and thoroughly read the linked article. I needed to be sure.

BCO is trying to downplay the data breach. It's true that they don't know if any data had been accessed (except the white hats showed that they did). Enabling security usually triggers logging. They didn't, so no logging. This bucket, in use since 2017 with images dating back to 2014, likely has been exposed all that time. No one resets security to the default and leaves it there. Well, maybe BCO's tech team does.

AliceBastable

I just read the linked article and I started feeling sick from panic, having to think, "What images have I posted in the four years I've been here?" I am sure I'm not the only one who had that reaction. What's even more sickening is that pile of horse manure posted by BCO. Have they been hiring some unemployed ex-White House press secretaries to come up with their messages? Because it's that kind of evade-deflect-minimize-lie non-explanation. Every day in every way, BCO shows itself to be less and less trustworthy.

zogo

serentiystat, Thank You for posting the link to that article. After reading it, the message is quite alarming.

(And I'm thinking donation money should go to SafetyDetectives, as they work pro bono! But, they don't have a giant red Donate button at the top and bottom of their page.)

DivineMrsM

Mods,

I have NOT gotten an email about loading images. I have NOT gotten an email about the data breach.Why not? I am a member for 11+ years. If I am not getting the mass emails that are supposedly sent to ALL bco members, how many others are not getting them, either?

I see that celia has posted on this thread several times. Almost all her other posts are on the In Memorium thread, noting the passing of members, which is how I’m familiar with her. To see celia lodge complaints here tells me how serious the technical problems of the forum are. Smh

Moderators

DivineMrsM,

Your account has been set to unsubscribe from email communications, which is why you did not receive the email. If you'd like to re-subscribe, you'll be sure to receive notifications.

Thank you.

--The Mods

Anonymous

Mods,

How many emails did you send? Your announcement states “emails”. Did you send one about the data breach?

I only received one email about image access being restricted.

Don't ignore me this time.