A VPN only raises the bar to prove your identity. If being linked to your posts on kiwifarms is going to be so personally devastating, you're effectively a political dissident.
Even then, you can identify a user easily using meta data - if someone is jumping between multiple nations then you know it's just the same person on a VPN. What they do protect you from is limited, and frankly there's no excuse for websites to use HTTP these days.
You'd be surprised how trusting people can be. If you're not expecting to be a victim a lot of times nobody will question it. People want to trust and assume the best until it blows up in their face. It only takes one time where you aren't paying attention, or not thinking about it to become a target. I don't think the site admin is retarded. I think what likely happened was she was caught off guard, probably juggling a couple different things at the time, and didn't even consider that people would want to target her. Mediafire also isn't the most unusal place to share files. I think it's real easy to look back on hindsight and realize that mistakes were made, but it can happen to anyone.
This is actually more of a sophisticated attack, in that it wasn't just some fire and forget phishing attempt - they actually used a bit of social engineering to get them to download the file. It's more investment, but more reward too.
While it's very true everyone will fuck up at some point, humans make mistakes, there are plenty of precautions that
should have been put in place ahead of time so that if this did happen people wouldn't have their personal information leaked.
First off, why the fuck did she not have a work laptop, or if she's a cheap cunt some sort of virtual machine to separate things. That way she could have all her own details leaked and not the people who signed up to her site.
Second, the password security is so bad it should be criminal. She should have had the database set up so that a hacker couldn't access it.
When you handle this much data, you really should be liable for looking after it. Yet the US data protection laws are dogshit when it comes to this - they should require better.
Antivirus is nice but usually not necessary if you aren’t fucking around on any weird sites.
People as a general rule make mistakes, having something that can stop those mistakes from having consequences is almost always a great idea. Even if most people get very little benefit from it, it only takes someone clicking the wrong link on something like Twitter without one to ruin their day.
