How to verify a data breach
Reading Time: 8 minutesIt’s not just our sensitive information that can spill online. Some data breaches can contain information that can have significant public interest or that is highly useful for researchers. Last year, a disgruntled hacker leaked the internal chat logs of the prolific Conti ransomware gang, exposing the operation’s innards, and a huge leak of a billion resident records siphoned from a Shanghai police database revealed some of China’s sprawling surveillance practices.
But one of the biggest challenges reporting on data breaches is verifying that the data is authentic, and not someone trying to stitch together fake data from disparate places to sell to buyers who are none the wiser.
Verifying a data breach helps both companies and victims take action, especially in cases where neither are yet aware of an incident. The sooner victims know about a data breach, the more action they can take to protect themselves.
Author Micah Lee wrote a book about his work as a journalist authenticating and verifying large datasets. Lee recently published an excerpt from his book about how journalists, researchers and activists can verify hacked and leaked datasets, and how to analyze and interpret the findings.
Every data breach is different and requires a unique approach to determine the validity of the data. Verifying a data breach as authentic will require using different tools and techniques, and looking for clues that can help identify where the data came from.
In the spirit of Lee’s work, we also wanted to dig into a few examples of data breaches we have verified in the past, and how we approached them.
How we caught StockX hiding its data breach affecting millions
How we confirmed the hack was in part luck, but it also took a lot of work.
The person shared 1,000 stolen StockX user records as a comma-separated file, essentially a spreadsheet of customer records on every new line. That data appeared to contain StockX customers’ personal information, like their name, email address, and a copy of the customer’s scrambled password, along with other information believed unique to StockX, such as the user’s shoe size, what device they were using, and what currency the customer was trading in.
In this case, we had an idea of where the data originally came from and worked under that assumption (unless our subsequent checks suggested otherwise). In theory, the only people who know if this data is accurate are the users who trusted StockX with their data. The greater the number of people who confirm their information was valid, the greater chance that the data is authentic.
Since this is the first time the StockX customers we contacted were hearing about this breach, the communication had to be clear, transparent and explanatory and had to require little effort for recipients to respond.
We sent messages to dozens of people whose email addresses used to register a StockX account were @icloud.com
or @me.com
, which are commonly associated with Apple iMessage accounts. By using iMessage, we could also see that the messages we sent were ‘delivered,’ and in some cases depending on the person’s settings it said if the message was read.
By writing messages this way, we’re building credibility with a person who may have no idea who we are, or may otherwise ignore our message suspecting it’s some kind of scam.
How we figured out leaked 23andMe user data was genuine
Just like StockX, 23andMe’s recent security incident prompted a mass password reset in October 2023. It took 23andMe another two months to confirm that hackers had scraped sensitive profile data on 6.9 million 23andMe customers directly from its servers — data on about half of all 23andMe’s customers.
The first signs of a breach at 23andMe began when a hacker posted on a known cybercrime forum a sample of 1 million account records of Ashkenazi Jews and 100,000 users of Chinese descent who use 23andMe. The hacker claimed to have 23andMe profile, ancestry records, and raw genetic data for sale.
But it wasn’t clear how the data was exfiltrated or even if the data was genuine. Even 23andMe said at the time it was working to verify whether the data was authentic, an effort that would take the company several more weeks to confirm.
The precise formatting of the leaked 23andMe data suggested that each record had been methodically pulled from 23andMe’s servers, one by one, but likely at high speed and considerable volume, and organized into a single file. Had the hacker broken into 23andMe’s network and ‘dumped’ a copy of 23andMe’s user database directly from its servers, the data would likely present itself in a different format and contain additional information about the server that the data was stored on.
One thing immediately stood out from the data: Each user record contained a seemingly random 16-character string of letters and numbers, known as a hash. We found that the hash serves as a unique identifier for each 23andMe user account, but also serves as part of the web address for the 23andMe user’s profile when they log in. We checked this for ourselves by creating a new 23andMe user account and looking for our 16-character hash in our browser’s address bar.
We also found that plenty of people on social media had historical tweets and posts sharing links to their 23andMe profile pages, each featuring the user’s unique hash identifier. When we tried to access the links, we were blocked by a 23andMe login wall, presumably because 23andMe had fixed whatever flaw had been exploited to allegedly exfiltrate huge amounts of account data and wiped out all public sharing links in the process. At this point, we believed the user hashes could be useful if we were able to match each hash against other data on the internet.
When we plugged in a handful of 23andMe user account hashes into search engines, the results returned web pages containing reams of matching ancestry data published years earlier on websites run by genealogy and ancestry hobbyists documenting their own family histories.
In other words, some of the leaked data had been published in part online already. Could this be old data sourced from previous data breaches?
One by one, the hashes we checked from the leaked data perfectly matched the data published on the genealogy pages. The key thing here is that the two sets of data were formatted somewhat differently, but contained enough of the same unique user information — including the user account hashes and matching genetic data — to suggest that the data we checked was authentic 23andMe user data.
It was clear at this point that 23andMe had experienced a huge leak of customer data, but we could not ascertain for sure how recent or new this leaked data was.
The leaks didn’t stop. Another dataset, purportedly on 4 million British users of 23andMe, was posted online in the days that followed, and we repeated our verification process. The new set of published data contained numerous matches against the same previously published data. This, too, appeared to be authentic 23andMe user data.
And so that’s what we reported. By December, 23andMe admitted that it had experienced a huge data breach attributed to a mass scrape of data.
The company said hackers used their access to around 14,000 hijacked 23andMe accounts to scrape vast amounts of other 23andMe users’ account and genetic data who opted in to a feature designed to match relatives with similar DNA.
While 23andMe tried to blame the breach on the victims whose accounts were hijacked, the company has not explained how that access permitted the mass downloading of data from the millions of accounts that were not hacked. 23andMe is now facing dozens of class-action lawsuits related to its security practices prior to the breach.
How we confirmed that U.S. military emails were spilling online from a government cloud
Sometimes the source of a data breach — even an unintentional release of personal information — is not a shareable file packed with user data. Sometimes the source of a breach is in the cloud.
The cloud is a fancy term for ‘someone else’s computer,’ which can be accessed online from anywhere in the world. That means companies, organizations and governments will store their files, emails, and other workplace documents in vast servers of online storage often run by a handful of the Big Tech giants, like Amazon, Google, Microsoft, and Oracle. And, for their highly sensitive customers like governments and militaries, the cloud companies offer separate, segmented and highly fortified clouds for extra protection against the most dedicated and resourced spies and hackers.
In reality, a data breach in the cloud can be as simple as leaving a cloud server connected to the internet without a password, allowing anyone on the internet to access whatever contents are stored inside.
It happens, and more than you might think. People actually find them! And some folks are really good at it.
Anurag Sen is a good-faith security researcher who’s well known for discovering sensitive data mistakenly published to the internet. He’s found numerous spills of data over the years by scouring the web for leaky clouds with the goal of getting them fixed. It’s a good thing, and we thank him for it.
But in reality, someone, somewhere (and somehow) removed a password from a server in this supposedly highly fortified cloud, effectively punching a huge hole in this cloud server’s defenses and allowing anyone on the open internet to digitally dive in and peruse the data inside. It was human error, not a malicious hack.
If Sen was right and these emails proved to be genuine U.S. military emails, we had to move quickly to ensure the leak was plugged as soon as possible, fearing that someone nefarious would soon find the data.
Sen shared the server’s IP address, a string of numbers assigned to its digital location on the internet. Using an online service like Shodan, which automatically catalogs databases and servers found exposed to the internet, it was easy to quickly identify a few things about the exposed server.
First, Shodan’s listing for the IP address confirmed that the server was hosted on Microsoft’s Azure cloud specifically for U.S. military customers (also known as ‘usdodeast
‘). Second, Shodan revealed specifically what application on the server was leaking: an Elasticsearch engine, often used for ingesting, organizing, analyzing and visualizing huge amounts of data.
Although the U.S. military inboxes themselves were secure, it appeared that the Elasticsearch database tasked with analyzing these inboxes was insecure and inadvertently leaking data from the cloud. The Shodan listing showed the Elasticsearch database contained about 2.6 terabytes of data, the equivalent of dozens of hard drives packed with emails. Adding to the sense of urgency in getting the database secured, the data inside the Elasticsearch database could be accessed through the web browser simply by typing in the server’s IP address. All to say, these military emails were incredibly easy to find and access by anyone on the internet.
By this point, we ascertained that this was almost certainly real U.S. military email data spilling from a government cloud. But the U.S. military is enormous and disclosing this was going to be tricky, especially during a federal holiday weekend. Given the potential sensitivity of the data, we had to figure out quickly who to contact and make this their priority — and not drop emails with potentially sensitive information into a faceless catch-all inbox with no guarantee of getting a response.
Sen also provided screenshots (a reminder to document your findings!) showing exposed emails sent from a number of U.S. military email domains.
Since Elasticsearch data is accessible through the web browser, the data within can be queried and visualized in a number of ways. This can help to contextualize the data you’re dealing with and provide hints as to its potential ownership.
For example, many of the screenshots Sen shared contained emails related to @socom.mil
, or U.S. Special Operations Command, which carries out special military operations overseas.
We wanted to see how many emails were in the database without looking at their potentially sensitive contents, and used the screenshots as a reference point.
By submitting queries to the database within our web browser, we used the in-built Elasticsearch ‘count’ parameter to retrieve the number of times a specific keyword — in this case an email domain — was matched against the database. Using this counting technique, we determined that the email domain ‘socom.mil
‘ was referenced in more than 10 million database entries. By that logic, since SOCOM was significantly affected by this leak, it should bear some responsibility in remediating the exposed database.
And that is who we contacted. The exposed database was secured the following day, and our story published soon after.
It took a year for the U.S. military to disclose the breach, notifying some 20,000 military personnel and other affected individuals of the data spill. It remains unclear exactly how the database became public in the first place. The Department of Defense said the vendor — Microsoft, in this case — ‘resolved the issues that resulted in the exposure,’ suggesting the spill was Microsoft’s responsibility to bear. For its part, Microsoft has still not acknowledged the incident.
To contact this reporter, or to share breached or leaked data, you can get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.
Reference: https://techcrunch.com/2024/03/15/how-to-verify-a-data-breach/
Ref: techcrunch
MediaDownloader.net -> Free Online Video Downloader, Download Any Video From YouTube, VK, Vimeo, Twitter, Twitch, Tumblr, Tiktok, Telegram, TED, Streamable, Soundcloud, Snapchat, Share, Rumble, Reddit, PuhuTV, Pinterest, Periscope, Ok.ru, MxTakatak, Mixcloud, Mashable, LinkedIn, Likee, Kwai, Izlesene, Instagram, Imgur, IMDB, Ifunny, Gaana, Flickr, Febspot, Facebook, ESPN, Douyin, Dailymotion, Buzzfeed, BluTV, Blogger, Bitchute, Bilibili, Bandcamp, Akıllı, 9GAG