Over the years Ztoog has extensively coated data breaches. In truth, a few of our most-read tales have come from reporting on big data breaches, comparable to revealing shoddy safety practices at startups holding delicate genetic info by means of to disproving privateness claims by a standard messaging app.
It’s not simply our delicate info that may spill on-line. Some data breaches can include info that may have important public curiosity or are extremely helpful for researchers. Last yr, a disgruntled hacker leaked the inner chat logs of the prolific Conti ransomware gang exposing the operation’s innards, and a big leak of a billion resident data siphoned from a Shanghai police database revealed a few of China’s sprawling surveillance practices.
But one of many greatest challenges reporting on data breaches is verifying that the data is genuine, and never somebody attempting to sew collectively faux data from disparate locations to promote to consumers who’re none the wiser.
Verifying a data breach helps each firms and victims take motion, particularly in instances the place neither are but conscious of an incident. The sooner victims learn about a data breach, the extra motion they’ll take to defend themselves.
Author Micah Lee wrote a guide about his work as a journalist authenticating and verifying massive datasets. Lee just lately printed an excerpt from his guide about how journalists, researchers and activists can verify hacked and leaked datasets, and the way to analyze and interpret the findings.
Every data breach is completely different and requires a distinctive strategy to decide the validity of the data. Verifying a data breach as genuine would require utilizing completely different instruments and methods, and in search of clues that may assist determine the place the data got here from.
In the spirit of Lee’s work, we additionally needed to dig into a few examples of data breaches we’ve got verified previously, and the way we approached them.
How we caught StockX hiding its data breach affecting hundreds of thousands
It was August 2019 and customers of the sneaker promoting market StockX obtained a mass electronic mail saying they need to change their passwords due to unspecified “system updates.” But that wasn’t true. Days later, Ztoog reported that StockX had been hacked and somebody had stolen hundreds of thousands of buyer data. StockX was compelled to admit the reality.
How we confirmed the hack was partially luck, nevertheless it additionally took a lot of labor.
Soon after we printed a story noting it was odd that StockX would power probably hundreds of thousands of its prospects to change their passwords with out warning or clarification, somebody contacted Ztoog claiming to have stolen a database containing data on 6.8 million StockX prospects.
The particular person stated they have been promoting the alleged data on a cybercrime discussion board for $300, and agreed to present Ztoog a pattern of the data so we may verify their declare. (In actuality, we might nonetheless be confronted with this identical state of affairs had we seen the hacker’s on-line posting.)
The particular person shared 1,000 stolen StockX consumer data as a comma-separated file, primarily a spreadsheet of buyer data on each new line. That data appeared to include StockX prospects’ private info, like their title, electronic mail handle, and a copy of the client’s scrambled password, together with different info believed distinctive to StockX, such because the consumer’s shoe measurement, what gadget they have been utilizing, and what forex the client was buying and selling in.
In this case, we had an concept of the place the data initially got here from and labored beneath that assumption (until our subsequent checks instructed in any other case). In principle, the one individuals who know if this data is correct are the customers who trusted StockX with their data. The larger the quantity of people that verify their info was legitimate, the larger probability that the data is genuine.
Since we can not legally examine if a StockX account was legitimate by logging in utilizing a particular person’s password with out their permission (even when the password wasn’t scrambled and unusable), Ztoog had to contact customers to ask them straight.
StockX’s password reset electronic mail to prospects citing unspecified “system updates.” Image Credits: file photograph.
We will usually search out individuals who we all know might be contacted shortly and reply immediately, comparable to by means of a messaging app. Although StockX’s data breach solely contained buyer electronic mail addresses, this data was nonetheless helpful since some messaging apps, like Apple’s iMessage, permit electronic mail addresses instead of a telephone quantity. (If we had telephone numbers, we may have tried contacting potential victims by sending a textual content message.) As such, we used an iMessage account arrange with a @techcrunch.com electronic mail handle so the individuals we’re contacting know the supply of the request is really coming from us.
Since that is the primary time the StockX prospects we contacted have been listening to about this breach, the communication had to be clear, clear and explanatory, and as little effort for recipients to reply.
We despatched messages to dozens of individuals whose electronic mail addresses used to register a StockX account have been @icloud.com or @me.com, that are generally related to Apple iMessage accounts. By utilizing iMessage, we may additionally see that the messages we despatched have been “delivered,” and in some instances relying on the particular person’s settings it stated if the message was learn.
The messages we despatched to StockX victims included who we have been (“I’m a reporter at Ztoog”), and the explanation why we have been reaching out (“We found your information in an as-yet-unreported data breach and need your help to verify it’s authenticity so we can notify the company and other victims”). In the identical message, we offered info that solely they may know, comparable to their username and shoe measurement that was related to the identical electronic mail handle we’re messaging. (“Are you a StockX user with [username] and [shoe size]?”). We selected info that was simply confirmable however nothing too delicate that would additional expose the particular person’s non-public data if learn by another person.
By writing messages this manner, we’re constructing credibility with a one who could don’t know who we’re, or could in any other case ignore our message suspecting it’s some form of rip-off.
We despatched related customized messages to dozens of individuals, and heard again from a portion of these we contacted and adopted up with. Usually a chosen pattern measurement of round ten or a dozen confirmed accounts would counsel legitimate and genuine data. Every one who responded to us confirmed that their info was correct. Ztoog offered the findings to StockX, prompting the corporate to attempt to get forward of the story by disclosing the huge data breach in a assertion on its web site.
How we found out leaked 23andMe consumer data was real
Just like StockX, 23andMe’s latest safety incident prompted a mass password reset in October 2023. It took 23andMe one other two months to verify that hackers had scraped delicate profile data on 6.9 million 23andMe prospects straight from its servers — data on about half of all 23andMe’s prospects.
Ztoog found out pretty shortly that the scraped 23andMe data was possible real, and in doing so realized that hackers had printed parts of the 23andMe data two months earlier in August 2023. What later transpired that the scraping started months earlier in April 2023, however 23andMe failed to discover till parts of the scraped data started circulating on a standard subreddit.
The first indicators of a breach at 23andMe started when a hacker posted on a identified cybercrime discussion board a pattern of 1 million account data of Ashkenazi Jews and 100,000 customers of Chinese descent who use 23andMe. The hacker claimed to have 23andMe profile, ancestry data, and uncooked genetic data on the market.
But it wasn’t clear how the data was exfiltrated or even when the data was real. Even 23andMe stated on the time it was working to verify if the data was genuine, an effort that might take the corporate a number of extra weeks to verify.
The pattern of 1 million data was additionally formatted in a comma-separated spreadsheet of data, revealing reams of equally and neatly formatted data, every line containing an alleged 23andMe consumer profile and a few of their genetic data. There was no consumer contact info, solely names, gender, and beginning years. But this wasn’t sufficient info for Ztoog to contact them to verify if their info was correct.
The exact formatting of the leaked 23andMe data instructed that every report had been methodically pulled from 23andMe’s servers, one after the other, however possible at excessive pace and appreciable quantity, and arranged into a single file. Had the hacker damaged into 23andMe’s community and “dumped” a copy of 23andMe’s consumer database straight from its servers, the data would possible current itself in a completely different format and include further details about the server that the data was saved on.
One factor instantly stood out from the data: Each consumer report contained a seemingly random 16-character string of letters and numbers, often called a hash. We discovered that the hash serves as a distinctive identifier for every 23andMe consumer account, but additionally serves as a part of the net handle for the 23andMe consumer’s profile once they log in. We checked this for ourselves by creating a new 23andMe consumer account and in search of our 16-character hash in our browser’s handle bar.
We additionally discovered that loads of individuals on social media had historic tweets and posts sharing hyperlinks to their 23andMe profile pages, every that includes the consumer’s distinctive hash identifier. When we tried to entry the hyperlinks, we have been blocked by a 23andMe login wall, presumably as a result of 23andMe had fastened no matter flaw had been exploited to allegedly exfiltrate big quantities of account data and worn out all public sharing hyperlinks within the course of. At this level, we believed the consumer hashes could possibly be helpful if we have been ready to match every hash in opposition to different data on the web.
When we plugged in a handful of 23andMe consumer account hashes into search engines like google, the outcomes returned net pages containing reams of matching ancestry data printed years earlier on web sites run by family tree and ancestry hobbyists documenting their very own household histories.
In different phrases, a number of the leaked data had been printed partially on-line already. Could this be outdated data sourced from earlier data breaches?
One by one, the hashes we checked from the leaked data completely matched the data printed on the family tree pages. The key factor right here is that the 2 units of data have been formatted considerably in another way, however contained sufficient of the identical distinctive consumer info — together with the consumer account hashes and matching genetic data — to counsel that the data we checked was genuine 23andMe consumer data.
It was clear at this level that 23andMe had skilled a big leak of buyer data, however we couldn’t confirm for positive how latest or new this leaked data was.
A family tree hobbyist whose web site we referenced for trying up the leaked data instructed Ztoog that that they had about 5,000 kin found by means of 23andMe documented meticulously on his web site, therefore why a number of the leaked data matched the hobbyist’s data.
The leaks didn’t cease. Another data set purportedly on 4 million British customers of 23andMe was posted on-line within the days that adopted, and we repeated our verification course of once more. The new set of printed data contained quite a few matches in opposition to the identical beforehand printed data. This, too, appeared to be genuine 23andMe consumer data.
And in order that’s what we reported. By December, 23andMe admitted that it had skilled a big data breach attributed to a mass scrape of data.
23andMe stated hackers used their entry to round 14,000 hijacked 23andMe accounts to scrape huge quantities of different 23andMe customers’ account and genetic data who opted in to a function designed to match kin with related DNA.
While 23andMe tried to blame the breach on the victims whose accounts have been hijacked, 23andMe has not defined how that entry permitted the mass downloading of data from the hundreds of thousands of accounts whose accounts weren’t hacked. 23andMe is now going through dozens of class-action lawsuits associated to its safety practices prior to the breach.
How we confirmed that U.S. army emails have been spilling on-line from a authorities cloud
Sometimes the supply of a data breach — even an unintentional launch of private info — shouldn’t be a shareable file full of consumer data. Sometimes the supply of a breach is within the cloud.
The cloud is a fancy time period for “someone else’s computer,” which might be accessed on-line from wherever on the earth. That means firms, organizations and governments will retailer their recordsdata, emails, and different office paperwork in huge servers of on-line storage typically run by a handful of the massive tech giants, like Amazon, Google, Microsoft, and Oracle. And, for his or her extremely delicate prospects like governments and militaries, the cloud firms supply separate, segmented and extremely fortified clouds for additional safety in opposition to probably the most devoted and resourced spies and hackers.
In actuality, a data breach within the cloud might be so simple as leaving a cloud server linked to the web with out a password, permitting anybody on the web to entry no matter contents are saved inside.
It occurs, and greater than you would possibly suppose. People really discover them! And some people are actually good at it.
Anurag Sen is a good-faith safety researcher who’s well-known for locating delicate data mistakenly printed to the web. He’s discovered quite a few spills of data through the years by scouring the net for leaky clouds with the aim of getting them fastened. It’s a good factor, and we thank him for it.
Over the Presidents Day federal vacation weekend in February 2023, Sen contacted Ztoog alarmed. He discovered what regarded just like the delicate contents of U.S. army emails spilling on-line from Microsoft’s devoted cloud for the U.S. army, which by all accounts needs to be extremely secured and locked down. Data spilling from a authorities cloud shouldn’t be one thing you see fairly often, like a rush of water blasting from a gap in a dam.
But in actuality, somebody, someplace (and one way or the other) eliminated a password from a server on this supposedly extremely fortified cloud, successfully punching a big gap on this cloud server’s defenses and permitting anybody on the open web to digitally dive in and peruse the data inside. It was human error, not a malicious hack.
If Sen was proper and these emails proved to be real U.S. army emails, we had to transfer shortly to make sure the leak was plugged as quickly as attainable, fearing that somebody nefarious may quickly discover the data themselves.
Sen shared the server’s IP handle, a string of numbers assigned to its digital location on the web. Using a web based service like Shodan, which robotically catalogs databases and servers discovered uncovered to the web, it was straightforward to shortly determine a few issues concerning the uncovered server.
Firstly, Shodan’s itemizing for the IP handle confirmed that the server was hosted on Microsoft’s Azure cloud particularly for U.S. army prospects (often known as “usdodeast“). Shodan additionally revealed particularly what software on the server was leaking: an Elasticsearch engine, typically used for ingesting, organizing, analyzing and visualizing big quantities of data.
Although the U.S. army inboxes themselves have been safe, it appeared that the Elasticsearch database tasked with analyzing these inboxes was insecure and inadvertently leaking data from the cloud. The Shodan itemizing confirmed the Elasticsearch database contained about 2.6 terabytes of data, the equal of dozens of exhausting drives full of emails. Adding to the sense of urgency in getting the database secured, the data contained in the Elasticsearch database could possibly be accessed by means of the net browser just by typing within the server’s IP handle. All to say, these army emails have been extremely straightforward to discover and entry by anybody on the web.
By this level, we ascertained that this was nearly definitely actual U.S. army electronic mail data spilling from a authorities cloud. But the U.S. army is big and disclosing this was going to be difficult, particularly throughout a federal vacation weekend. Given the potential sensitivity of the data, we had to determine shortly who to contact and make this their precedence — and never drop emails with probably delicate info into a faceless catch-all inbox with no assure of getting a response.
Sen additionally supplied screenshots (a reminder to doc your findings!) exhibiting uncovered emails despatched from a variety of U.S. army electronic mail domains.
Since Elasticsearch data is accessible by means of the net browser, the data inside might be queried and visualized in a variety of methods. This might help to contextualize the data you’re coping with and supply hints as to its potential possession.
A screenshot exhibiting how we queried the database to depend what number of emails contained a search time period, comparable to an electronic mail area. In this case, it was “socom.mil,” the e-mail area for U.S. Special Operations Command. Image Credits: Ztoog
For instance, most of the screenshots Sen shared contained emails associated to @socom.mil, or U.S. Special Operations Command, which carries out particular army operations abroad.
We needed to see what number of emails have been within the database with out taking a look at their probably delicate contents, and used the screenshots as a reference level.
By submitting queries to the database inside our net browser, we used the in-built Elasticsearch “count” parameter to retrieve the variety of occasions a particular key phrase — on this case an electronic mail area — was matched in opposition to the database. Using this counting method, we decided that the e-mail area “socom.mil” was referenced in additional than 10 million database entries. By that logic, since SOCOM was considerably affected by this leak, it ought to bear some accountability in remediating the uncovered database.
And that’s who we contacted. The uncovered database was secured the next day, and our story printed quickly after.
It took a yr for the U.S. army to disclose the breach, notifying some 20,000 army personnel and different affected people of the data spill. Though it stays unclear precisely how the database grew to become public within the first place. The Department of Defense stated the seller — Microsoft, on this case — “resolved the issues that resulted in the exposure,” suggesting the spill was Microsoft’s accountability to bear. For its half, Microsoft has nonetheless not acknowledged the incident.
To contact this reporter, or to share breached or leaked data, you may get in contact on Signal and WhatsApp at +1 646-755-8849, or by electronic mail. You can even ship recordsdata and paperwork by way of SecureDrop.