There have been plenty of reports in the news lately about large-scale data breaches caused by everything from clever hacking to poor security practices to somebody just leaving a flash drive lying around, but once everyone’s email addresses, passwords, and credit card numbers get stolen, what actually happens to all that information?
I mean is there just a Walmart for cyber criminals where they go and buy your personal information at rollback prices? And if your information is indeed part of a massive breach, how do you find out? What are the appropriate precautions?
One thing that’s helpful in understanding what happens after a data breach is to realize the sheer scope of many of them. It’s not uncommon for these breaches to affect tens of millions of people at once, and sometimes even more.
That means that it isn’t particularly easy for an individual user to search through large databases of stolen information, especially considering the source of places that information ends up. Often times, this data actually will appear on dark web markets that require special software to access them where it is indeed bought and sold by cyber criminals hoping to rack up fraudulent charges, drain someone’s bank account, or even commit outright identity theft. But it turns out that this isn’t the only place where personal data can appear.
In fact, sometimes it’ll show up in a much more public pastebin site. What’s a pastebin site, you might ask? Well, it’s the digital equivalent of the inside of a bathroom stall wall. They’re designed for anyone to just dump a large amount of data as plain text.
These things can be great for folks like coders who want others to check their code for errors, or I mean just anyone who needs a place to quickly jot down a non-sensitive information. In recent years though, some pastebin sites have become hotbeds for stolen data procured from data breaches.
Now, some of this data is put there by hacktivists who don’t seek to make much, if any, money off of their exploits. While other leaks are partially dumped to pastebin sites by attackers as a free sample of a larger data set that they expect to get paid for on one of the aforementioned Darknet markets. While anyone can bring up data that’s dumped to a pastebin, it’s not exactly easy for the average consumer to go hunt for their credentials one-by-one after they heard about the latest big data breach on the news. There is good news though. There are easier ways to keep tabs on your logins and passwords.
There are services that try to catalog Darknet leaks, and that automatically detect when large data dumps appear on pastebins, then organize them into databases, and save them even if the original data gets taken down. One of the best known of these services is, Have I Been Pwned?, which works by having you enter your email address, which it then checks against the database of billions of leaked account records to see if you’ve been affected by a breach. Have I Been Pwned?, uses a bot to monitor pastebin sites for new submissions containing credentials, and passwords. It offers email notifications if the site finds your info in a recent breach, and it also allows users to enter their own passwords to check against the database as well, which sounds like a terrible idea, but don’t worry.
Have I been Pwned?, employs an algorithm that keeps your password secure when you test them by hashing them, then only sending the first five characters of the hash to a server that contains the database of known breached passwords. After any matching hashes are found they’re sent back to your PC, which can then determine if your entire hash password is the same as any of the passwords found in the database. This functionality has actually also been built into some password managers, which can even tell you if your credentials have been found in a recent data dump, so that’s cool. But then, what if you follow these steps and your details have been compromised?
Well, step one is to change your passwords. Step two is to contact your bank and credit card companies, if your email was tied to those accounts, and get in touch then with step three, one of the major credit reporting agencies. Once you’ve contact them, you can do basic things like freezing your credit for free, or if you want something a little less intrusive than having your credit frozen, you can pay for credit monitoring, which will send you a report when anyone tries to open a new account, or apply for credit in your name.