New Model Mayhem security breach gave random members access to other members’ full profiles

I was not going to write about this yesterday when it happened. Frankly, by the time I found out about it, it was old news and Model Mayhem snafus were getting so common that I didn’t really think it warranted another post.  But Model Mayhem’s refusal to alert members makes it necessary to inform as many members as possible about how their private information may have been compromised.


At 10:05 am April 26, 2010, a member reported in the site related forum that he had full access to another member’s profile. In fact, he was a photographer posting under another model’s profile. He could read all the emails and had full control of the other profile. By all indications, nothing special had to be done to gain access. He simply found himself in the profile of another member. It was later reported by an admin that Model Mayhem had already been aware of the problem minutes before the start of that thread. 40 minutes later, the first response from a moderator saying: “I’m bringing this to attention of admins as quickly as possible”. Minutes later, more post from a site admin and the site manager saying they are working quickly to get it resolved.

At 3:36 pm, 5.5 hours after it was first reported, the site manager announces

We believe we have just fixed the issue. If anyone still experiences this, please let us know immediately. Privacy is extremely important (which is why we force people to log in when changing devices) and we take it very seriously.  We apologize for this occurrence.

Following that, there were multiple questions about why the site was not taken offline to resolve the issue. Keep in mind that in the last security breach caused by a site admin, the site was taken offline within minutes and during that breach, member data was not compromised. The only thing compromised was some embarrassing threads started by moderators. Here is the response as to why the site was not taken offline this time when an unknown number of members’ profiles were exposed.

Whenever something of this nature happens we must consider the community as a whole, and while a few members were affected by this it didn’t make sense to shut the entire site down. It just wasn’t necessary. If we felt that the problem was widespread and we were not able to contain it, then yes, the site would have been shut down. link

Decide for yourself how you want to interpret this statement.

Over the next several hours, there are many calls for a site wide notification, all of it ignored.  A moderator states

Because there was NO evidence that there was a widely spread problem.

In fact, it is beginning to appear that not all of the problems reported were real in the first place. Shutting down the site and/or making an alarming site wide announcement would not make much sense if the problem was very limited in scope. That doesn’t mean it is not a serious issue…but as I said before it may not have been a very widely spread issue despite how serious it is.

Investigations continue. link

I think it’s terribly irresponsible for Model Mayhem to refuse to inform its members their personal data may have been compromised. By all indications, they do not have the means to definitively determine which accounts were exposed. Without such data, the only responsible thing to do would be to inform all members of the possibility that it may have happened. When this was suggested, a few members said it would cause problems or somehow there was no way to word it properly while at least one moderator commented that it may cause a lot of work due to false reporting. Site security breaches are not new; companies deal with it. When it happens, responsible companies have a plan of action that includes informing all potential victims, not just confirmed victims. Many States such as California have laws in place requiring notification. Model Mayhem’s position seems to be “we’re not telling everyone there is a problem but we have posted an obscure notation on page 2 of a site related thread that you should contact us if you think there is a problem”. That is shifting the burden on the members when the burden of responsibility clearly falls on the site. What they should have done was post an announcement (the same tool used to announce the all important free shipping on comp cards) and refer members to a page instructing them what to do. Of course such a page does not exist because Internet Brands and Model Mayhem likely did not have an action plan for such a scenario. It took me 5 seconds on Goggle to find this Recommended Practices on Notice of Security Breach Involving Personal Information. Note especially part III regarding notification.