There’s little sense in hiding behind the fact that, like millions of LinkedIn members, I was alarmed to read that some 117 million passwords were released last month in relation to a 2012 data breach – and less than certain I wasn’t among the users who hadn’t changed their passwords since then.
I first learned about the attack, as I learn so much about the tech industry, on Twitter – which is also where I discovered the existence of “Have I been pwned?”, a free service run by Troy Hunt, a Microsoft channel representative and freelance security expert from Australia who writes articles for online technology training website Pluralsight, and travels around the world running a two-day workshop called “Hack Yourself First” that teaches software developers how to pre-emptively defend themselves against attackers.
“Have I been pwned?” couldn’t be easier to use: Simply enter your email address and the website will let you know if you’ve been the victim of a data breach.
Seconds after entering mine, I learned that not only had my LinkedIn account been compromised, but my Adobe account had been too – and I didn’t even realize I had an Adobe account.
It turned out that Adobe Systems Inc. was the victim of data breach back in 2013, with hackers stealing the internal ID, username, email, encrypted password, and password hint from 153 million Adobe accounts.
Adobe declined to be interviewed for this story, while LinkedIn forwarded the message it sent to all compromised users (including me).
So what happens next?
Hunt started “Have I been pwned?” soon after the Adobe data breach.
“I’d been doing a lot of analysis across different breaches, and looking at some of the patterns that were emerging,” he explains. “One of the things I found very interesting was that I was seeing the same people appear over and over again, often with re-used credentials… so I thought it would be interesting if people could actually find out just how much had been compromised about them.”
Of course, to give users the ability to search for stolen personal information, Hunt needed to store stolen personal information himself. He takes the responsibility extremely seriously: “Have I been pwned?” saves email addresses on Microsoft’s Azure cloud platform, but nothing else, and compromised users can remove their email addresses from public search results.
“I don’t save any credentials or any other personal entry data,” Hunt says. “In fact, I’m quite certain that one of the things that’s kept me out of hot water with companies and from any potential legal recourse is that… you can’t use ‘Have I been pwned?’ to find your password, or whether your husband is cheating on you, or anything like that.”
Often Hunt will privately contact companies which have been victims of a data breach before publishing the data, noting that in some cases he’s reached companies before the data has been redistributed, which means that depending on the mandatory disclosure laws governing the type of data leaked, the breach can be kept relatively quiet.
“Obviously organizations don’t particularly want to say ‘we’ve been breached,’ but of course when it’s user credentials floating around I’ve got a bit of a moral obligation and, depending on the jurisdiction, a legal obligation to make a public statement about the fact that there’s been a breach,” he says.
Two months ago, for example, Hunt deleted leaked data involving some 4.8 million VTech accounts, because some of it involved children, and few people had access.
“We all agreed – ‘we all’ being everyone from myself to the class-action lawyers to the VTech council to the FBI – I had discussions with all of them, very amicable discussions too… that it’s better for everyone that this data just doesn’t exist,” he says.
Last year, before uploading the infamous Ashley Madison data breach, Hunt decided that ethically it would be indefensible to simply create a searchable database where, essentially, someone could look up whether their partner had attempted to have an affair. Instead he made it so that someone could only see whether they were part of the breach by checking their e-mail.
“A huge amount of effort is put into deciding the ethics of how I run this thing,” he says. “I’m really conscious that, on the one hand, this is data that has been illegally obtained, and some people would say it’s stolen… On the other hand, it’s enormously useful for so many people.”
In fact, donations often seem to go up after an especially high-profile breach, he says.
“Very often I’ll hear is things like, ‘thank you so much for letting me know – LinkedIn never sent me an e-mail to tell me about this,’ or ‘I had no idea that I was exposed in ABC data breach some years ago – this might explain why my accounts keep getting taken over for some reason,'” Hunt says. “So the ethics of it are enormously important, and over time I keep reflecting on them and making tweaks here and there.”
Silence isn’t the answer
There is, of course, another lesson here for the companies involved: when responding to a breach, transparency is key.
No company wants to be hacked, but when personal information has been compromised enterprises should be sending the leaked data to users so they can decide what to do next, Hunt says.
Instead, many a frustrated individual has contacted him after hearing little more than radio silence from corporate victims such as Adobe or LinkedIn.
Many users who recently wrote LinkedIn asking which password was leaked, for example, were told that because their passwords had been changed the company no longer had their old passwords on file, Hunt says. That’s not a helpful answer for victims of the breach.
“I’m increasingly incensed at these organizations that clearly have made some bad security decisions – and granted, they’ve had someone come in and illegally hack into their things, which is never okay – but we’re in this situation where people are understandably concerned and the company that screwed up and lost the data is unwilling to support them when it could.”