How not to verify a data breach (and why some really want you to get 'pwned')

Whatever you do, don't break the law...
Written by Zack Whittaker, Contributor
Image: File photo

This year, we've seen dozens of hacks, breaches, and leaks of billions of records. And it's still only September. But there are now so many hacks and breaches that you may never hear about most of them.

In most cases, only the "verified" breaches make it to the light of day. And that process alone can take days or even weeks of trying to figure out if allegedly hacked data is what is claimed.

In the hacker space, where everyone is trying to play someone else, nothing is ever immediately clear.

Just as hackers want verification for credibility or acclaim, some breach sites want news coverage to sell something. The hacked companies want to know so they can disaster-manage (companies get hacked because their security is bad, not because the hackers are always that good), and news outlets want the exclusive.

But also -- verification is important for the victims. The sooner victims know about data breaches, the sooner they can protect themselves.

Make no mistake, verifying data isn't an easy process. It's time consuming, laborious, and not always fruitful. Patience is required. Motherboard reporter Joseph Cox, a veteran in data breach reporting, has a run-down of how reporters can verify a data breach. It's a guide to how other reporters can verify hacked data, too.

And then you have security researchers and experts, who have their own skillsets, which can be used to verify data breaches. Take security expert Troy Hunt, whose non-commercial breach search site, Have I Been Pwned, lets potential victims search to see if their data has been compromised. Hunt, too, has explained in great detail how he verifies breaches.

Because of the explosion this year in the number of reported hacks and breaches (we alone have covered more than a dozen, and we admit when it's not possible), numerous data breach monitoring and notification sites that offer services similar to Have I Been Pwned have sprung up.

But unlike Hunt's site, widely considered to be the gold standard of breach verification and notification providers (which he provides for free), many other sites don't bother to verify the data they receive.

That leads to mishaps and misfirings, as well as an undermining of trust.

A Reuters exclusive earlier this year cited one security expert who said "hundreds of millions of hacked usernames and passwords" for email accounts were being traded online. That story was later largely discounted because there was "no evidence" to suggest the data was stolen from the email providers.

Other cases have seen two sellers, who go by the names Peace and Tessa88, both pushing legitimate breaches, like LinkedIn, MySpace, and VK.com. But they've also pushed alleged breaches that haven't made the light of day -- or were proven unreliable, such as alleged attacks on Facebook and Instagram.

That's why even "trusted" hackers or sellers, who have a short but flawless history of reporting large, historical data breaches have to go through the same rigorous verification process each time.

Take one recent example: a cybersecurity startup told me that it had a database of tens of millions of accounts leaked from a historical hack dating back many years. The startup told me that it had "verified" the breach because it "successfully logged into user accounts with the credentials found in the breach".

In doing so, it had violated at least two US federal laws (and that's just to start). Logging into someone else's account without permission is illegal in the US.

Besides, that still wouldn't be enough to verify a breach even to a reasonably low benchmark.

When reporters verify breaches, they walk a line to ensure they're not intrusive or inconveniencing people. One of the easiest ways to begin verifying a breach is by enumerating disposable Mailinator email accounts through a website's password reset field. Reporters also have to examine the data -- such as seeing if there are duplicate entries and reviewing the column headings and file structure. These alone can determine with a higher degree of confidence if the data is genuine. Often, the best and most reliable (though usually painstakingly slow) way to verify that data is to ask the victims themselves, and then the source of the breach, and hope that nobody gets ahead of you before you publish your story.

In the aforementioned recent example, we couldn't verify the breach, which is why we're not naming the allegedly "hacked" company. The company also didn't respond to repeated requests for comment.

That's why we didn't cover the story, because we just can't be sure. It may turn out that down the line that the company had been hacked, but at least we wouldn't have to retract a story.

This boom in hack reporting has in part led to a cycle of more awareness and coverage, which has led to more data breach monitoring and notification sites popping up (the majority of which have a commercial arm, or they exist to support a product they sell). In those cases, it's often quantity over quality, because there's little value or motivation by for-profit companies or groups to verify data.

It's almost as if some want you to get hacked -- or "pwned" -- because the more data they get, the better they look.

No wonder people think it's the year of the data breach.

Editorial standards