aprilthird2021 3 days ago

Everything is logged, but no one really cares, and the "business reasons" are many and extremely generic.

That being said, maybe I'm dumb but I guess I don't see the huge risk here? I could certainly believe that 1500 employees had basically complete access with little oversight (logging and not caring isn't oversight imo). But how is that a safety risk to users? User information is often very important in the day to day work of certain engineering orgs (esp. the large number of eng who are fixing things based off user reports). So that access exists, what's the security risk? That employees will abuse that access? That's always going to be possible I think?

▲

simmerup 3 days ago | parent [-]

You really don't see the safety risk?

If you have a sister,imagine her being stalked by an employee?

If you have crypto, imagine an employee selling your information to a third party?

	▲	aprilthird2021 2 days ago \| parent [-]
		Yes but an employee will always be able to do those things because some employees, even a large number of some employees, need access to user accounts and data for legitimate reasons, and since the only workable way is to track and punish later (cannot run the company if every user access needs human approval at the moment), it's always a risk