Meet Chris Vickery, the internet's data breach hunter

His job is simple: Find leaked and exposed data before the bad guys do.
Written by Zack Whittaker, Contributor

NEW YORK -- It's a phone call you hope never comes in: Chris Vickery has found your company's entire set of customer data on the internet.

He sits at his desk, littered with external hard drives storing terabytes of data, in his home office in Santa Rosa, Calif., where he scours the internet for data that shouldn't be accessible -- a phone number, a social security number, or credit card data -- sitting in databases that aren't password-protected for anyone to access.

Using search engines for internet-connected devices, like Shodan, and tools that scan common ports where data typically live, Vickery can tick off hundreds of internet addresses and their ports for leaky databases, badly configured backup drives, and other inappropriately stored data.

It's a race to find accidentally exposed data before the bad guys do.

But it's a time-consuming and technical job that takes requires focus, patience, and the temperament to accept failure and to know when to call it a day.

Like others in the security research space, it also requires working strictly ethically and within the lines of the law. When Vickery finds an exposed database, he goes through a process of responsible disclosure -- usually as simple as privately informing the company of its mistake -- in the hope that it can seal the leak before a criminal can steal the data.

Only when the data is safe does he blog about his findings so that readers can learn from others' mistakes. "It's kinda like a treasure hunt," he told me on the phone last week.

Vickery, a softly spoken southerner, isn't driven by money or reputation -- though the latter has become an occupational hazard of his blogging.

Through his blog, Vickery is one of a handful of security researchers in recent years who have sparked more headlines than almost any other person, and yet he isn't a household name. His work has resulted in protecting the personal information and privacy of tens of millions of people.

In the past few years, Vickery has found sensitive data from hotel chains, a massive financial crime and terrorism database, several breaches of health data, leaked data from a dating app for HIV positive people, a publicly stored trove of voter registrations on 93 million Mexicans, a law firm's files that cast doubt on the official report into an inmate's death, and an leaky airport server that stored highly sensitive TSA files -- to name just a few.

His work for the past couple of years has been associated with Kromtech, the maker of MacKeeper, a some-might-say controversial utility software for Apple desktops that has been fraught with complaints and concerns -- the company has rebuffed -- in part because of its perceived pushy advertising tactics and aggressive affiliates.

It's fitting that it was a data breach that brought him to the company, after he found 13 million accounts in its unprotected database.

As of Monday, Vickery started a new full-time role at UpGuard, a cybersecurity startup, which last year raised $17 million in financing, pinned on its core product, a cybersecurity grading system.

The Mountain View, Calif.-based company's flagship product is a credit-style score for cybersecurity, which determines a company's cyber-risk factors by scanning its internal network and systems and spitting out a report on where it can improve. UpGuard also has a free web-based tool that lets anyone run a scan on any company's external network (such as a website and subdomains) to measure its security posture.

The company's co-founder and co-chief executive, Mike Baukes, said on the phone last week that Vickery's name "kept coming up" in the discovery of data breaches.

"Our capability isn't just about developing products that helps fix issues that Chris finds," said Baukes. "It's also about elevating these issues to the right places and raising the industry's awareness," he said, arguing that many cybersecurity products have an "inability to translate the issues properly" and leave "people in the dark" about what they need to do next.

"We share a similar belief system," said Baukes, calling Vickery's work "deeply honorable."


Chris Vickery. (Image: RSA)

Vickery's work began back in his native Austin, Texas while working his former day job as an IT technician at a law firm. What was initially an academic curiosity about security and data protection slowly evolved amid greater fascination with security into a full-time passion.

One smaller data exposure led to another, where he later recognized during those formative early days that there were huge swathes of data if you knew where to look.

He jumped down the rabbit hole of data breach discovery and hasn't turned back.

Now, Vickery is seen by many -- reporters and fellow security researchers alike -- as the master of the internet's lost-and-found department. He's driven by a desire to return this leaked and misplaced information to its rightful owner. Guided by a strict set of mostly self-imposed moral guidelines that dictate how he works, his process from discovery to disclosure relies almost entirely on reaching out in good faith to the unwitting companies that -- often through carelessness -- have leaked the information their customers trusted them with, and he asks them to come clean.

"If the companies that I inform respond well and fix things and don't just ignore me and think I'm trying to take advantage of them somehow. And if they do notify the affected people, secure it quickly, and are open about it -- and they're not trying to demonize me -- that's a good day," he said.

"A lot of the time those elements don't come together," he explained.

But not everyone appreciates what he does.

Few want to be told that they have committed a fundamentally basic but catastrophic security error. All too often, though, Vickery's act as good samaritan is met with hostility -- or worse, he's used as a scapegoat when companies seek to shift the blame to the work of a "hacker."

"It's extremely frustrating when companies don't take responsibility for breaches," he said. "But it's a natural human response for some -- a knee-jerk response," he said, to blame the person who found the data rather than their own shoddy security.

Vickery is not a hacker, but the law covering security research and breach discovery is far from simple, thanks to the old and antiquated Computer Fraud and Abuse Act (CFAA) -- persistently reamed by critics as a barrier to security research for its overbroad terms and definitions.

The law says where hackers must gain "unauthorized access" to a server to fall foul of the law, such as using or cracking a password that stops anyone getting in, the data that Vickery finds is never protected in the first place.

Arguably, his discoveries are no different from how ordinary internet users browse the web.

"Browsing is requesting files from a directory on a web server and displaying them onto your screen. Every time you visit Amazon, you're downloading files from Amazon's servers. That's exactly what I'm doing," he said.

"If what I'm doing is illegal, then browsing any web page is illegal," he said.

The CFAA has been ridiculed and scoffed at. The law, for instance, makes it illegal to share your Netflix login with someone else -- or even your social media account, effectively making any social media team of any leading brand at risk of violating federal hacking laws.

Congress has tried to fix the law but to no avail, and it remains a serious threat to security researchers and their work.

But just last month, Vickery was named in a lawsuit against River City Media, in which the company, accused of being a top spammer, exposed its own systems by failing to use a password on a backup drive. The lawsuit accuses Vickery of being a "vigilante black-hat hacker," though no government agency has ever brought charges of their own.

"They have made up a lot of things I'm certain they can't prove," he said in response to the complaint. "Certain people will always try and defer blame," he said. "What is a profit-minded corporate guy going to do -- potentially give up millions of dollars in fines or say that this one guy hacked me? It's a clear decision on their side. The best leaders and companies will accept responsibility in a situation -- but bad businesses, they tend to focus on 'shooting the messenger'."

I asked whether the lawsuit, if successful, could have a chilling effect on security research -- or even for reporters, like myself, who cover data breaches, leaks, and exposures.

"If they can make up and fabricate events and have a jury believe them -- well that's going to have a far greater effect than chilling researchers and data breach reporting," he said.

"That means the entire system is broken," he added.

It doesn't seem that Vickery will back out of this line of work anytime soon. He's a man on a mission, and given his already hectic work-life balance, he admits that he far exceeds the nine-to-five confines of most corporate jobs. It's something he loves -- and a necessity for the next wave of Americans whose data he wants to try to protect.

But it's a hostile world and he, like the rest of the security community, faces the persistent threat of undue hostility from the corporate world, sans a landmark decision -- in his words -- that would change the face of computer law enforcement goes. And that case could, if it escalates, put Vickery at the forefront of that law change -- for better or for worse. It makes you wonder why someone would put themselves in the line of legal fire.

"Somebody has to do it," he said. "And I feel a duty to keep carry on doing what I do."

Header illustration: Lemmino/Deviant Art.

Employees will hand over work passwords to hackers for money

Editorial standards