As more of our important personal information is stored online behind password-protected accounts, news about data breaches sends us scrambling to find out if our passwords were hacked. One of the best places to find out is Troy Hunt’s website, www.haveibeenpwned.com, where anyone can input their email address to learn if it has been compromised.
Hunt, an Australian information security expert, has spent thousands of hours studying data breaches to understand what happened and who was at risk.
“I kept finding the same accounts exposed over and over again, often with the same passwords, which then put the victims at further risk of their other accounts being compromised,” Hunt said.
He became concerned that everyday people were unaware of how big the problem was. In 2013 when an Adobe customer account breach put more than 150 million user names, email addresses, passwords and password hints at risk, Hunt launched his site. He runs it on a “shoestring budget” out of his own pocket, and his approach has been to keep it simple and keep it free.
Business, unfortunately, has never been better.
“Data breaches have increased dramatically since I started, both in terms of frequency of the incidents and the scale as well.”
He points to a handful of reasons. To start, people have more devices connected to the Internet every year, from phones to refrigerators to teddy bears. With more connected devices and more accounts created with them, more data is being collected.
“The cloud is another thing that has exacerbated the whole problem because as awesome as it is for many things, it also makes it very cheap to stand up services, so we’re seeing more services [with logins],” he said. “It’s also very cheap to store data, so we see organizations hoarding information. Companies like to have as much data as they can so they can market to people.”
We’re also entering the digital native era, a time when more people are online who have never known a time when it was different.
“Their propensity for sharing information and their sensitivity toward their personal privacy is all very different than it is for those of us who reached adulthood before we had the Internet,” he said.
All of this adds up to more information out there from a lot more sources. And not every company is doing a stellar job of protecting that information or destroying it when it’s no longer needed, which makes it vulnerable.
“The reason we have these headlines everyday is because clearly we’re not taking security seriously enough,” Hunt said. “The really big stuff — like your Twitter and your Facebook — is very solid these days, and the vast volume of our Internet behavior is on sites that have done a very good job. The problem is when you get to middle or lower tier sites where you’ve got a lot less funding, and you don’t have dedicated security teams.”
“Pwned,” which rhymes with “owned,” is a slang term meaning your account has been utterly defeated, cracked and, yes, owned. Shortly after his site’s launch, Hunt added a feature where one can sign up to be notified if email address gets pwned in future data leaks. In February 2017, he hit one million subscribers. When Hunt started, he poked around in forums, dark web sites and even public web sites to find leaked data. What he discovered was fascinating.
“There is this whole scene where people share data breaches,” he said. “It’s very often kids, young males, teenagers, who are hoarding data. They collect as much as they can, and they exchange it like they would baseball cards. Except unlike with baseball cards, when you exchange data, you still have the original as well.”
Sometimes data is also sold. When the LinkedIn data breach occurred, it was traded for five bitcoins or several thousand U.S. dollars at the time. Hunt says the data is not typically used to break into the account from which it was hacked. Rather it’s used in an attempt to break into other accounts, such as your bank or your email, which is often the best way to unlock an account. If you reuse passwords, you’re putting yourself at risk.
Today, people get in touch with Hunt when they come across a data breach.
“Fortunately I have a reliable trustworthy network that sends me information and makes it a lot easier to maintain the service. It would be very hard for me to go out and source all of this myself.”
Hunt takes great care when he learns of a data breach. His first step is to determine if it’s legitimate.
“A lot of the stuff out there is fake,” he said. “For example there’s a lot of news at the moment about Spotify accounts, and these Spotify accounts are just reused names and passwords from other places. They weren’t hacked out of Spotify.”
Once that box is checked, he reaches out to the company to alert them, which he says is a surprising challenge. Though he works hard to responsibly disclose the breaches to the companies affected, he has many stories of companies who ignore alerts that their customer data has been compromised. Finally, he loads the email accounts onto his site alongside those from MySpace, xBox 360, Badoo, Adobe, Elance and many more.
Hunt also gives talks about information security to audiences around the world with the goal of getting more businesses and developers to approach projects with a defensive mentality. One of his sessions is a “Hack yourself first” workshop that shows developers how to break into their own work, giving them an opportunity to see offensive techniques first-hand.
“There’s like a lightbulb that goes off when people do get first-hand experience with that,” he said. “It’s enormously powerful as a way of learning.”
What can you do?
At Mozilla, we believe cybersecurity is a shared responsibility, and your actions help make the Internet a safer, healthier place.
Be smart about your logins
As an Internet citizen, there are a few fundamental things you can do to boost your account security online:
Check out Mozilla’s Guide to Safer Logins, which covers these tips in more depth.
It’s all too easy to ignore software update alerts on your phone and computer, but your cybersecurity may depend on them. Updating to the latest security software, browser and operating system provides an important defense against viruses, malware and other online threats like the recent WannaCry ransomware attack.
Use Lean Data Practices
As a business or developer that handles data, you should always be working to create a more trusted relationship with your users around their data. Building trust with your users around their data doesn’t have to be complicated. But it does mean that you need to think about user privacy and security in every aspect of your product. Lean Data Practices are simple, and even come with a toolkit to make them easy to implement:
This post is also available in: Deutsch (German)