Troy Hunt knows everything about you.
He knows if your Dropbox, LinkedIn, or Ashley Madison data has been breached, and collates records on those breaches at his aggregation service Have I Been Pwned. He’s not planning on holding you to ransom over this - Hunt is providing a public service that is so necessary today, it is virtually unimaginable. “I’m currently sitting on a couple billion records,” he explained, speaking at WIRED Security. “There are a lot I simply don’t have the time to process.”
Read more: Want to know if you've been hacked? Troy Hunt has the details
The 39-year-old Australian security specialist tracks every significant website breach - and lets you check if your email has been hacked. Have I Been Pwned holds more than one billion hacked account details, and since 2013 has collated data from sites including Adobe (152 million email addresses), Ashley Madison (30m) and Mate1 (27m). The numbers are mind-boggling and seemingly growing with each news item - Yahoo recently admitted 500 million of its users had their data compromised in a 2014 hack.
While the media loves to portray hackers as terrifying individuals wearing hoodies, however, Hunt points out there are teenagers getting hold of vast amounts of personal data, using freely-available software. This was the case for the recent TalkTalk hack, after which a quote from a former Scotland Yard detective led to scaremongering headlines blaming it on a Russia-based Islamic jihadist group. It turned out the hack was carried out at the hands of two teenagers.
“When incidents like this happen, very frequently they just want to distribute it around,” said Hunt. “People reach out to me privately, saying I’ll give you 13 million records.” In one particular instance, the person who approached Hunt sent him a message saying: “I’m scared they will look for me.”
“Very often it is a scared kid. I try not to ask too many questions when people send me the data. I’m just interested in whether it is legitimate and where it came from.” It’s typically pretty clear when the individual has grabbed the data from the source, however. And Hunt asks them to consider private ethical disclosures to the hacked companies. “Usually they say, 'ok - but do you want the data anyway?'”
This, he said, is yet another sign of how prevalent the breaches are. The frequency with which they occur begins to lose meaning in a world where anyone can go online and find websites populated with millions of personal records posted by hackers. These records are not all hiding on the dark web and sold on the black market.
“Data is everywhere, it’s so easy to find it still blows my mind.”
“There is a laissez-faire attitude about data. We’ve almost lost the context of how important billions of details are. These records don’t just have emails - they have gender, birth dates. You can’t just change your password and make it go away.”
The hacks are so prolific, WIRED editor David Rowan pointed out that Hunt’s own email had seven hits on his service. Hunt explained he does deploy all the tools available to protect himself, such as two-factor authentication, but that ultimately he has had to resort to self-censoring his own content. “As a consumer, there’s not a whole lot more we can do about that other than being conscientious about what we share - so on Facebook the pictures I post aren’t going to upset people.”
There is a big change that needs to happen, however, and it is governments that have the control. “What we are not doing so well is disincentivising systems,” added Hunt. "The ICO handed a fine to TalkTalk that amounted to 0.02 percent of its revenue - for having egregious security flaws. There is not enough disincentive.”
At the time of the fine, the Information Commissioner's Office announced it had forced through a “record” fine. But in the context of the hack, the sum came to just £2.50 for each customer whose details were stolen, and £25 for every person who lost banking data in the breach.
The seriousness of breaches is escalating, and the risks are not only financial.
In December 2015, Hunt revealed the names, pictures and birthdays of millions of children had been stolen from toy manufacturer VTech. In February 2016, he exposed security flaws in the Nissan LEAF's API. There needs to be greater moves to plug holes in security systems, and ensure companies are working harder than ever to protect their consumers.
This article was originally published by WIRED UK
