Here’s the next jumbo data leak, complete with Facebook, Twitter, and LinkedIn profiles.
FOR WELL OVER a decade, identity thieves, phishers, and other online scammers have created a black market of stolen and aggregated consumer data that they used to break into people’s accounts, steal their money, or impersonate them. In October, dark web researcher Vinny Troia found one such trove sitting exposed and easily accessible on an unsecured server, comprising 4 terabytes of personal information—about 1.2 billion records in all.
Does your institution have a policy/guidance document on hacked or scraped data? If not it should. While the data may be existing and online somewhere, it’s “fruit of a poison tree” in that it was obtained without consent, probably in contravention of a platform’s policies and there is a good chance at least one law has been broken. At the very least an HREC would need to consider whether a waiver of the consent requirement can be approved. It would appear to be a very serious source of risk exposure for an institution and a member of the institution’s executive should sign off on the project.
“It’s bad that someone had this whole thing wide open,” Troia says. “This is the first time I’ve seen all these social media profiles collected and merged with user profile information into a single database on this scale. From the perspective of an attacker, if the goal is to impersonate people or hijack their accounts, you have names, phone numbers, and associated account URLs. That’s a lot of information in one place to get you started.”
“What stands out about this incident is the sheer volume of data that’s been collected.”
TROY HUNT, HAVEIBEENPWNED
Troia found the server while looking for exposures with fellow security researcher Bob Diachenko on the web scanning services BinaryEdge and Shodan. The IP address for the server simply traced to Google Cloud Services, so Troia doesn’t know who amassed the data stored there. He also has no way of knowing if anyone else found and downloaded the data before he did, but notes that the server was easy to find and access. WIRED checked six people’s personal email addresses against the data set; four were there and returned accurate profiles. Troia reported the exposure to contacts at the Federal Bureau of Investigation. Within a few hours, he says, someone pulled the server and the exposed data offline. The FBI declined to comment for this story.