Data breaches are a curious thing; they come about as a result of highly illegal activity yet are coveted by criminals and good honest technology professionals alike. I’ve written before about how these breaches are being sold and traded which is obviously the seedier side of things, but they’re also enormously useful to the good guys.
Just today I had someone share the following email from Amazon with me which I’ve reproduced with their permission:
Shortly after, the got another one from LinkedIn:
I find this curious on many levels. Firstly, Amazon and LinkedIn are actively sourcing data breaches and I’m aware of other similarly large web assets that do the same thing. This is a grey area as I know all too well from running Have I been pwned? (HIBP). You deal with a lot of shady individuals to get this sort of data and it can take a lot of searching. There’s also the whole issue of legality and there are those that claim that any handling of “stolen” data is not legit. Yet here we have two huge online presences doing just that.
Then there’s the fact that they’re effectively reproducing the login process of their customers. Let me explain: Amazon and LinkedIn almost certainly store customer data via a cryptographically secure hash and the only way that they can do what they’ve done in the message above is to take passwords from a breach, hash them using the same process by which they store their customers’ passwords (which probably also means pulling the salt from their customer records), then comparing the results. In other words, exactly what you do when logging in.
But the process also raises another issue – what is their responsibility to notify the customer which data breach they appeared in? The guy above has just been told his personal info has been breached in another system. They have a high degree of confidence that the breach is legit as his password matches the one he also gave them. Should they not tell him which site his data was breached from? What if the guy is being severely disadvantaged as a result of that other breach?
Another issue on responsibility is timeliness. This individual almost certainly received that email as a result of the 000webhost breach (which incidentally stored passwords in plain text), one I disclosed publicly two and a half weeks ago now. Should they have notified him earlier? Could they have notified him earlier, because they may not have been able to even get their hands on the data?
I like the idea of this – proactively protecting customers – but it’s fraught with challenges. Companies such as these have more than enough lawyers and smart technical people to ensure they get this right, but it does raise some interesting issues on how they should run this process in a responsible fashion.
As for the guy reusing his passwords, he’s now a happy user of a password manager and busily creating unique passwords across all his web assets so that should be the last he sees of this style of communication!
