I spend a lot of time looking at data breaches as a result of running the service Have I been pwned? (HIBP). Inevitably this means frequently coming into contact with people from the shadier side of the web, those lurking in the shadows and communicating from beyond the veil of online anonymity. Sometimes they’re the perpetrators of online attacks, but often they’re merely individuals who frequent the same communities.
Just last week I published a long piece on the 000webhost hack which focused on my futile attempts to ethically disclose a serious data breach. That in itself was an interesting (albeit somewhat depressing) commentary of our industry, but it was what I discovered about how breached data is being redistributed that really alarmed me. It’s being extensively sold and traded and worse still, it’s frequently kids behind it.
Take that 000webhost example; after it became publicly apparent that I was in possession of the data, one individual told me that it was a “private” breach, that it was to remain in the possession of a select group of people. It was being sold for over $2k according to him. I later found it online for $1.5k. After I wrote the blog and the news was public thus alerting those impacted by it, that same breach now lists for only $200. Market forces at play, by the looks of it.
Shortly after the 000webhost incident I had someone else approach me offering breached data. Where it’s an existing incident and the data has already hit the public domain then it’s usually a good fit so sure, I’d be happy to take a look… which is when he demanded “a sum of BTC”. Let us not trivialise what’s being asked here: these individuals are directly selling data which was hacked out of online systems. People are paying for this data not for curiosity purposes, but because they can monetise it – there’s an ROI for them and that means exploiting the individuals in the breach.
In a recent case, an individual who provided me with data got extremely nervous after I then made it searchable in HIBP and the press gave it a lot of coverage. He became paranoid he’d end up in jail and asked me to delete all records of our communication. On probing, it was pretty clear he was just a kid who never realised the implications of what he was up to until he saw mainstream coverage of the issue, including the involvement of law enforcement.
We saw more evidence of the involvement of children in this sort of incident just last week after the TalkTalk hack. First we had a 15 year old arrested, then there was a 16 year old arrested and most recently a veritable old-timer by comparison when a 20 year old was also arrested. These guys are all frequenting the same communities and are just kids, either figuratively in that they’re quite young compared to the rest of us or as with the first two TalkTalk hackers, legally still children. They’re selling, trading and in some cases directly hacking this data out of systems and the worst part is, they have no idea of the consequences of their actions… until it’s too late.