Concerned that you've been pwned? Troy Hunt can tell you. The 39-year-old Australian security specialist tracks every significant website breach - and lets you check if your email has been hacked. His website Have I Been Pwned holds more than one billion hacked account details, and since 2013 has collated data from sites including Adobe (152 million email addresses), Ashley Madison (30m) and Mate1 (27m). Anyone can run their email addresses through his system to see if they have been hit; he says more than 350,000 people subscribe to be told if their details are added to the database.
So, how does he collect the data - and who will be hacked next? WIRED finds out.
WIRED: What led to the creation of your database?
Troy Hunt: I was doing analysis on a lot of data breaches and one of the things I noticed was the way that the same individuals crop up in different breaches. Once they had appeared more than once, they would have a richer profile in the data. You could take someone from the Adobe breach and have their password. Then you could look at other data breaches that would have information such as their mother's maiden name or their date of birth and start to draw patterns across them. I began to wonder if people are actually aware of just how broad their exposure is.
With each data breach, where do you get the customer data?
As I've run the service over the years I've learned more about how this information is distributed: you get people hoarding data breaches and then they trade them. It's like having a set of playing cards and swapping them. I never give anybody any of these data breaches, although sometimes this information does come privately through very quiet channels.
Are people making a living from selling hacked data?
Yes, there are numerous websites that are selling this data, not always on the dark net either. The other side, which I find more curious, is the data trading. I think the people doing this are just tinkerers: they like getting in there and having a look at what's going on, but they're doing it with highly sensitive information.
I get the sense that many people who get involved are kids, and that would be consistent with a lot of the arrests we see, like the VTech hack, where a 21-year-old was arrested. They probably just haven't realised the ramifications of what they're doing.
Do you see any trends across the data breaches?
I'm blown away by how frequently these incidents are occurring and how serious the data is. But even more than that is the number of incidents that never make the headlines. There are a huge number of websites, particularly websites running PHP bulletin board systems, which are compromised and they've each got hundreds of thousands or millions of records of data floating around. There are so many cases of data breaches where the organisations involved have absolutely no idea, yet within the circles that are trading the data it's really well known.
How do they miss it?
A lot of them aren't well equipped. I can understand that when we're talking about things like a gaming forum, maybe they don't take that seriously, but when we look at, say, VTech Toys with its billion-dollar revenues, it's just that the company hasn't invested in security and the general IT capability of the organisation.
How did you verify the VTech hack?
[When I was brought the data by a journalist] it wasn't clear where it had come from. I was pretty wary, which is part of the reason I went through the verification process. I looked at my subscriber lists and contacted the 20 most recent subscribers who had used VTech and said, "I've had something passed to me that's allegedly from a company and if you want to help then I'll give you a bit of data to help verify whether it's accurate or not." Everyone came back and said: "I did sign up for VTech and these are my correct address details." Also, when you start looking at the way an organisation stands up their online presence you get a sense about how likely is it that an event like this might have happened. I went to VTech and there was no HTTPS on login. This was unforgivable some time ago, so that's a black mark.
You hacked the Nissan LEAF through its API. Could this be done to other devices?
API is interesting for a few reasons. They're basically websites but instead of talking HTML and sitting in the browser they're talking XML and being called by a mobile device. They're one step further removed than a website would be and because of that you can hide a lot of developers' bad shortcomings. For all intents and purposes the car is an internet of things (IoT) device and I can imagine that Nissan - like others such as LIFX light globes or the iKettle - has had trouble with their secured implantation because I suspect they're trying to rush to market. There's this IoT rush at the moment. It's a goldmine of hackable things.
Will this stop any time soon?
I don't see anything putting a stop to it. I suspect that the trend of breadth and volume is just going to increase. The only thing that will be different is that in two years' time instead of it being 300 million records I've got on the system, it will be 600 million or a billion. That's the way we're trending. We're not seeing organisations making their things any more secure.
This article was originally published by WIRED UK
