With all these recent data breaches, what happens to the compromised data? Hackers share it amongst themselves of course!
WHEN HACKERS BREACHED companies like Dropbox and LinkedIn in recent years—stealing 71 and 117 million passwords, respectively—they at least had the decency to exploit those stolen credentials in
Earlier this month, security researcher Troy Hunt
“This is the biggest collection of breaches we’ve ever seen,” says Chris Rouland, a cybersecurity researcher and founder of the IoT security firm Phosphorus.io, who pulled Collections #1–5 in recent days from torrented files. He says the collection has already circulated widely among the hacker underground: He could see that the tracker file he downloaded was being “seeded” by more than 130 people who possessed the data dump, and that it had already been downloaded more than 1,000 times. “It’s an unprecedented amount of information and credentials that will eventually get out into the public domain,” Rouland says.
Size Over Substance
Despite its unthinkable size, which was first reported by the German news site Heise.de, most of the stolen data appear to come from previous thefts, like the breaches of Yahoo, LinkedIn, and Dropbox. A sample of the data and confirmed that the credentials are indeed valid, but mostly represent passwords from years-old leaks.
“For the internet as a whole, this is still very impactful,” said Chris Rouland.
As another measure of the data’s importance, Hasso Plattner Institute’s researchers found that 750 million of the credentials weren’t previously included in their database of leaked usernames and passwords, Info Leak Checker, and that 611 million of the credentials in Collections #2–5 weren’t included in the Collection #1 data. Hasso Plattner Institute researcher David Jaeger suggests that some parts of the collection may come from the automated hacking of smaller, obscure websites to steal their password databases, which means that a significant fraction of the passwords are being leaked for the first time.
The sheer size of the collection also means it could offer a powerful tool for unskilled hackers to simply try previously leaked usernames and passwords on any public internet site in the hopes that people have reused passwords—a technique known as credential stuffing. “For the internet as a whole, this is still very impactful,” Rouland says.
Rouland notes that he’s in the process of reaching out to affected companies, and will also share the data with any chief information security officer that contacts him seeking to protect staff or users.
You can check for your own username in the breach using Hasso Plattner Institute’s tool
Rouland speculates that the data may have been stitched together from older breaches and put up for sale, but then stolen or bought by a hacker who, perhaps to devalue an enemy’s product, leaked it more broadly. The torrent tracker file he used to download the collection included a “readme” that requested downloaders “please seed for as long as possible,” Rouland notes. “Someone wants this out there,” he says. (The “readme” also noted that another dump of data missing from the current torrent collection might be coming soon.)
But other researchers say that such a massive database being freely shared represents something else: That enough old megabreaches of personal information have piled up in the hacker underground over the years that they can comprise a sprawling, impactful amount of personal information and yet be practically worthless.
“Probably the skilled hackers, the guys really interested in getting money from this, had it for multiple years already,” says David Jaeger, a researcher at Hasso Plattner Institute who analyzed the collections. “After some time, they’ve tried all these on the major services, so it doesn’t make sense to keep them any longer, they sell it for a small amount of money.”
Below a certain price, Jaeger adds, hackers often barter the information for other data, spreading it further and devaluing it until it’s practically free. But it could still be used for smaller scale hacking, such as breaking into social media accounts, or cracking lesser-known sites. “Maybe it’s worthless for the people who originally created these data dumps, but for random hackers it can still be used for many services,” Jaeger adds.
Hunt, after publishing the initial Collection #1 earlier this month, says he was surprised to find multiple people immediately offering to send him links to Collections #2-5. “What this represents that’s unprecedented is the volume of data and the extent it’s circulating in big public channels,” Hunt says. “It’s not the world’s biggest hack, it’s the fact that it’s circulating with an unprecedented fluidity.”
In that sense, Collections #1-5 represent a new kind of milestone: That the rotting detritus of the internet’s privacy breaches has gotten so voluminous and devalued that it’s become virtually free and therefore public, degrading any last private information it might have held. “When enough people have secret data, someone shares it,” Rouland says. “It’s entropy. When the data is out there, it’s going to leak.”