Take These 2 Steps Now to Protect Yourself From Data Leaks
Everyone on the internet is exposed to some degree of risk. One of those risks is of a data breach or leak. Every time you create a new account or set up a new app, you create a new place where your data can be hacked or breached. That’s why taking steps for better data leak protection is crucial. But the good news is that the two best things you can do to protect yourself aren’t difficult.
See The Changing World of Data Breaches with Troy Hunt for a complete transcript of the Easy Prey podcast episode.
Troy Hunt is an information security officer, Microsoft Regional Director, and Microsoft Most Valuable Professional specializing in online security and cloud development. He’s also a conference speaker and runs workshops on building more secure software. However, he’s most well-known as the creator of the data breach aggregation service Have I Been Pwned. This is his second time on the Easy Prey Podcast – and both times he’s talked about data breaches.
The Story of Have I Been Pwned
Troy didn’t set out to create an incredibly popular data leak protection and awareness service. If he did, he wouldn’t have given it such a stupid name! He started it because at the time, he was working at a corporate job. He was a software developer, and he enjoyed it. But like most tech people, to advance in his career he had to get out of development and into management. Troy was miserable in management – he just wanted to develop software. So he decided to create a project on the side.
This was right after the huge Adobe data breach in 2013. Troy had been blogging a lot about data breaches and the patterns you could see. He was also looking at the data exposed in the breach. His information was in there twice – once with his work address, once with his personal. He found that especially interesting because he had never had an Adobe account. However, he did use Macromedia products. When Adobe bought Macromedia, his data ended up in Adobe’s databases.
You can put your data in one place, and then it traverses around the internet or various entities, acquisitions, and things, and you end up in something you didn’t expect.Troy Hunt
The data from the Adobe leak was a good data set, and Troy was interested in cloud-first programs like Microsoft Azure. So he took the Adobe breach data, used Azure to put an interface on it, and what became Have I Been Pwned was born. No one is more surprised than Troy that this project he built in his spare time has been around for ten years now.
Where Have I Been Pwned Gets Information
When Troy first launched Have I Been Pwned, he used the data from the Adobe data breach. He loaded it into his new program manually. But not long after he launched it, people started reaching out to him and offering him the data from various breaches. To this day, this is still what happens. People send Troy everything from new breach notifications to links with the entire contents of the data leak. He gets these notices sometimes multiple times a day.
It’s a firehose of breaches … it’s much more than what I can even handle.Troy Hunt
There’s no easy way to automatically import all that data. He as to filter the fire hose of information down to what he can deal with. The big ones he tries to get up immediately. Unfortunately, some of the smaller ones have to wait until he has time.
Sometimes he gets a bunch of people contacting him about the same data. This is pretty common if it’s posted on a hacking forum. Other times it’s an individual who just happened to come across it. And sometimes, the person notifying him about the data leak is the one who took it in the first place. That’s always awkward.
Companies That Don’t Practice Good Security
For the people who take the data and then give it to Have I Been Pwned, there are different motives. Sometimes it’s because they tried to ransom the data and the company wouldn’t pay. But sometimes it’s to make a point about the company’s cybersecurity. In one example, someone created a website just to publish data stolen from a large American company because they are so angry about the company’s security practices. Even though stealing the data is a crime, sometimes the motive is somewhat altruistic. They want to see security improve, but it feels like companies aren’t taking it seriously.
Companies just don’t take [security] seriously enough, and the thing that gets their attention is to get the data.Troy Hunt
Part of what pains Troy about this scenario is that sometimes they’re right. It shouldn’t be that way, but a lot of the responsibility falls back on the company. It’s a struggle. Troy is sympathetic to companies because they often get people reaching out and saying that they’ve found vulnerabilities, but they want to be paid a “bounty” to tell the company. But most of these people have just run a company’s website through a free tool and generated a useless report.
Troy is critical of companies who aren’t receptive to reports of security issues. But when people out there are using free tools to generate useless reports and then trying to charge a company money for them, the company is in a tough place. They know they should pay attention to all reports, but almost all of them are guaranteed to be worthless. It’s a difficult problem.
How Data Leaks have Changed Over Time
If you’re paying attention to data breaches over the past ten years and care about data leak protection, you may have noticed that it’s changed somewhat. The most obvious change is ransomware. It’s gotten really big, especially in the past few years. It’s not uncommon to see ransomware crews running sites on the dark web that reveal tons of ransomed data. Last year, Australia’s largest private health insurer got targeted by ransomware. The crew ended up with data from nearly half of the country, and demanded a million dollars or they’d start publicly exposing the health data. When they did expose it, they started with the list of people who’d had abortions. Then it was the list of people who had drug addictions. It was planned for maximum impact.
A lot of what’s getting exposed in data leaks is documents. In one United States company, a breach exposed a bunch of emails, Word docs, and PDFs. They could be anything from invoices to corporate communications. It used to be that most of what was exposed in a leak was SQL and CSV databases. Now, data leak protection needs to factor in the risk that anything could be exposed.
It used to be that data breaches were [database] files. Now there’s a lot more of the entire crown jewels of the organization in there.Troy Hunt
Some people concerned about data leak protection are worried that more data is being exposed now than it was in the past. But Troy doesn’t know that the type of data has changed in a meaningful way. Instead of asking if the data being collected is different, it’s more useful to ask if we’re building apps differently today than we were ten years ago. And how are we collecting and storing that information?
Third Party Data Leak Risks
We’re also seeing a rise in third-party compromise. Troy has complained about this quite a bit. You get a disclosure notice saying there was a data breach that included your information, but it wasn’t us – it was a third party. But they don’t say what third party or who they gave your information to. He wants to see if this is something that needs regulation, or if it will be considered common decency to disclose which third party was breached.
Third parties are just part of how we build apps now. If your app has a chatbot, you probably use a third-party chatbot service. If it takes payments, a payment service; if it has a help desk, a ticketing service. Have I Been Pwned recently did a bunch of privacy and legal stuff, and their lawyers had them make a list of every single third party they provide data to. There was Azure and Cloudflare, the two programs that make the service run. But there was also SendGrid, because they send emails. And ZenDesk, because they have a support system.
Even for what seems like a simple service, there are almost always a bunch more third parties under the hood. And often the terms and conditions you have to agree to in order to use the service declare they can share your data with whoever they want. But who’s going to read all those pages of legal babble? Companies need to disclose what third party was compromised as a matter of course.
The Cloud and Data Leak Protection
Some people are concerned that the push towards using cloud-based services is putting our data at more risk of breaches and exposure. After all, cloud services provide a lot of opportunities for malicious actors to get at data. But Troy doesn’t think they necessarily make us less secure. There may be more opportunities for attacks, but often cloud services can do better at security than you could on your own.
Cloud in general has massively increased our attack surface … [but] I’m hesitant to say it’s made us more vulnerable.Troy Hunt
A lot of data breaches Troy sees are on easily accessible, well-priced storage solutions that the user just didn’t secure. Cloud services, on the other hand, often have that security built in. In many cases, it can be safer to trust your data to a large cloud service with a team of security experts than try to secure it yourself.
The Changing World of Data Leak Protection
We’re making good progress in moving away from passwords. Even in the past year, we’ve seen greater understanding of tools like passkeys and more acceptance of things like two-factor authentication (2FA). Tools like Universal 2nd Factor (U2F), a physical token that you have to plug into your device to log in to an account, are gaining more popularity. Troy thinks this is great. One of the best things you can do for data leak protection is add additional safeguards to your accounts.
With 2FA, some people will argue about the “hierarchy” of methods. You can do 2FA through a SMS message, an app, or a U2F token. Some people say that using SMS for your 2FA is worse than not having 2FA at all. That’s completely false. Even if you believe it’s the worst way to do 2FA, it’s better than having no 2FA at all.
SMS 2FA is not terrible. Having no 2FA is terrible.Troy Hunt
For many people, getting their 2FA code via text is the best way to do it. Apps can sometimes be confusing – and many of them don’t have backup options. If your phone breaks or is stolen, you might be out of luck. And U2F keys can be expensive, and using them requires them to be with you when you need it.
The two important things to consider are what you really need to protect, and what level of inconvenience you’re willing to deal with. Doing 2FA with SMS is less secure, but it’s easier for most people. A U2F token is more secure, but more expensive. The security method that’s best is the one that you can and will use.
We Can’t Help Being Online
Even though Troy knows a lot about the risk of data breaches, he doesn’t create fewer accounts than the average person. In fact, he has around a thousand accounts. But because he also understands data leak protection, he has a strong, unique password for every account.
The pandemic really accelerated it, but there’s also been a societal shift towards buying more things online. And buying online requires making accounts. Recently, Troy wanted to buy a solar radiation sensor. He found a website that sold them – and had to create yet another account. If this account is breached, it could expose his name and password. Troy isn’t very worried about that, because the password is unique. But it could also expose his home address, phone number, or credit card information, which caries more risk.
In the end, what are the options? He either has to take the risk of exposure or not buy stuff. Ultimately, we’ll all end up taking some risks online. It’s just important to be aware and take as many steps as we can to be safe.
Am I not going to buy stuff [online]? No. That’s just a risk we take.Troy Hunt
Data Leak Protection for Different Levels of Tech Knowledge
Troy’s son is fourteen and his daughter is eleven. They’ve grown up seeing the kind of work he does. They also have a pretty good understanding of the steps they need to take to be secure. Troy has a family account with the password manager 1Password, and his kids have grown up with that. They know best practices to keep their passwords secure, and they are starting to understand why 2FA is so important. There’s a benefit for them being digital natives and growing up with it.
For older adults, the best solution may be different. If you’re not a digital native or spent your adulthood working with technology, some of these tools can be difficult to get the hang of. It’s important to find the right technology fit. And sometimes that’s low tech. Troy’s mother writes her passwords in a physical book – which is fine as long as she doesn’t reuse them. At that point, the risk is coming from someone breaking into her house. And someone breaking in is probably after the TV, not a notebook. The key is to find something they’ll use and be comfortable with. You don’t want them to be lost every time they try to get online.
I think we’ve all got to find out where our sweet spot of usability and security is.Troy Hunt
Know What Information is Actually Risky
Troy thinks we should discuss what the risk actually is for some kinds of data. Some people get extremely concerned about their email address, home address, or phone number being exposed. It feels like an extremely personal piece of information. But most of that stuff has been in the phone book for decades. Even if we don’t use the physical books much, the White Pages are still available online.
Occasionally, Troy will post a photo on Twitter, and someone will message him saying that they managed to triangulate his address from the angle of the sun and the shoreline in the background or something. Troy always wonders why they went through all that trouble – they could have found it in the phone book much more easily. In Australia, where Troy lives, you’re in the phone directory by default. If you’re a company director, you’re in another directory. You could easily figure out where Troy lives, what school his kids go to, and all sorts of other stuff if you wanted.
Many people are worried that someone will discover their address or phone number in a data breach. But most of the time, that information doesn’t have any impact in the real world. Opening a phone book or a quick Google search could reveal it without data breaches or hacking involved. There’s a point where we shouldn’t panic about the data that’s out there.
When It Does Matter
Of course, there are exceptions. If you’re being stalked or harassed, for example, you’ve probably taken measures to ensure your home address is hard to find. Having a data breach expose it publicly could put you in actual danger.
In many ways, Troy has the luxury of most of his data not mattering. If someone discovers his address, it’s not a big deal. It doesn’t matter to him if his gender or sexuality is exposed because they’re not particularly sensitive matters to him. But for some people, exposing this information could be incredibly damaging.
Take medical records as an example. Troy can’t think of anything in his medical history that would matter much if it were public. If all that’s in your file is annual checkups and one broken ankle, that probably won’t affect you too much. But if you’ve had a procedure that isn’t socially acceptable, for example, or been treated for a condition that you want to keep secret, then it becomes highly sensitive.
Troy doesn’t want to say that having your data revealed doesn’t matter. It is a breach of privacy, and for some people the information is extremely sensitive. But for many of us, the actual real-world impact of that data is very limited. When thinking about data leak protection and response, it’s important to think about how important it actually is. Often, people lose their minds about data that has no impact on their lives.
It’s Not Getting Better
Troy doesn’t see things getting better in terms of data breaches and data leak protection. But they are changing. Passwords are a great example. We’re seeing less MD5 encryption, so it’s getting harder for hackers to crack passwords. Using 2FA makes it harder for “brute force” attacks to get in even if they crack the passwords. But malware that can grab browser fingerprints and cookies could change that.
We’re also seeing things like “2FA bombing,” where criminals repeatedly make requests to 2FA apps. People get the notifications over and over again until they eventually say yes to make it go away. Changing the app authentication from a button tap to showing a code that you have to enter presents that.
We keep changing the playing field. Overall, it’s no better now than it was four years ago. We do better, and then the bad guys do better, and then we do better. It’s a constant race to stay on top of security.
The Bar for Data Leak Protection is Very Low
When it comes to data leak protection and online security in general, the bar is actually very low. Criminals often go for the low-hanging fruit that they can get easily. If you take simple, easy security steps, you can cut down a large portion of the risk.
For a real-world example, Troy is in a WhatsApp group for his community. People report petty theft, and every single time it’s low-hanging fruit. A taxi driver left his car running while carried his passenger’s bag into the house. A lady left her car running in the parking lot while she dropped off a library book. Troy himself accidentally left his car unlocked on a day when his gate didn’t close because he was replacing the tile. These criminals weren’t breaking in or using sophisticated carjacking techniques. The theft victims could have prevented it by taking the simple step of locking their car.
Having strong, unique passwords that you store in a password manager and turning on 2FA for all your accounts is like locking your car in the garage. It won’t stop a determined thief with the tools to break into the garage and hotwire your car. But it will stop the majority of thieves, who are looking for unlocked cars and easy pickings. There’s a certain level of simple things that will eliminate the vast majority of your risk. It’s not hard. If you are using strong, unique passwords with a password manager and have 2FA turned on, you’re almost certainly fine.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
In the modern world, we need the internet for daily life. Work, school, banking, shopping, social connection,…[Read More]
You’ve probably seen them somewhere. A sign by the road, an ad on a billboard, or even…[Read More]
Student loans came out of their forbearance period and payments resumed towards the end of last year….[Read More]
A virtual kidnapping call can be terrifying - that's why it's important to be prepared in advance.[Read More]