Last week technology news publication The Register revealed the location of nearly 620 million sets of personal data that had been stolen from various websites, after the data’s seller told the publication that he had put it on the dark web.
The original hacks were revealed a couple of weeks ago when website Have I Been Pwned said that personal data associated with nearly 620 million accounts had been exfiltrated from a number of websites, including MyFitnessPal, MyHeritage and dating website Coffee Meets Bagel.
And now The Register’s report has illustrated in detail where data ends up after hacks like this, how much it goes for, and even some of the motivations of its seller.
The article states that for around $20,000 worth of Bitcoin, a series of databases can bought from the Dream Market Tor-based marketplace. The data sets include 162 million datasets from Dubsmash, 151 million from MyFitnessPal and 92 million from MyHeritage.
That’s a significant discovery – we now know that massive datasets, which could enable huge levels of identity theft or even direct theft – are going for a mere $20,000. It also makes explicitly clear the direct impact of what happens when a website suffers a data breach. You can be sure that, if your details appear on Have I Been Pwned (which it probably does), some of your personal data has appeared on these sites and may well have been bought and sold.
The buyers of this stolen data, The Register says, are “spammers and credential stuffers” – which explains the data’s low price. It also explains the data’s use. As The Register explains: “Someone buying the purported 500px database could decode the weaker passwords in the list, because some were hashed using the obsolete MD5 algorithm, and then try to use the email address and cracked password combinations to log into, say, strangers’ Gmail or Facebook accounts, where the email address and passwords have been reused.”
That’s a scary thought. Equally scary, for the companies that own these websites, is the backlash that a hack causes. There are a multitude of consequences for companies that have data stolen, but the two main negative effects are arguably PR and regulatory.
Most of the companies that replied to The Register’s enquiries said something along these lines: “Our engineering team is currently investigating and if we can confirm there was a breach we will take the necessary steps to inform our users as per GDPR standards.” (That was a spokesperson for 500px).
Most of the statements, then, look to assure users and the press that the companies involved are investigating and will do what they need to do from a legal perspective. The reason for this, of course, is that the GDPR requires companies to inform both customers and regulators within a certain time frame once they become aware of a data breach – so by releasing statements such as these they are killing two birds with one stone.
But looking at some of the reaction to The Register’s article, it is clear that there are divergent views on the conduct of companies like this in instances such as these. Some argue that a lack of skills and proper management has led to the leaks and as such, the “incompetence” of the people involved should be punished.
Others argue – as perhaps many would agree – that data breaches are nearly inevitable. This is particularly clear when you consider the often-quoted proverb about hackers only needing to be lucky once, while security teams need to get it right every time. The logic of this suggests that data breaches will, indeed, be nearly inevitable, and there is therefore more to be learnt from the reaction of the company to a data breach than any preventative action it takes.
What some commentators argue is that the attitude of company executives is key. Data is highly valuable and highly personal, they say, so any executive that presents an uncaring attitude to this issue is far more damaging than one which presents a lack of knowledge. Executives can’t be expected to understand the technical aspects of data security, observers say, and so as long as they properly prioritise it, perhaps we should sympathise with them.
Sympathy for the devil
One group that most would agree we should not sympathise with is the hackers and data-sellers. The Register had an unusual encounter with the seller, in which he or she went on record to explain the motivations behind a criminal career.
“I don’t think I am deeply evil,” they told The Register. “Security is just an illusion. I started hacking a long time ago. I’m just a tool used by the system. We all know measures are taken to prevent cyber attacks, but with these upcoming dumps, I’ll make hacking easier than ever.”
We’ll leave it to you to decide where you fall on data thieves such as these.