Tech companies are leaving your private data unlocked online and there isn’t much you can do about it. (image: Flickr/ Maarten Van Damme)
SANTA ROSA, CALIF. — Chances are your private data has probably been available on the web for any random visitor to read. And you may not even be able to blame hackers or identity thieves for it.
Instead, somebody at a company that collected or handled your information — maybe a wireless carrier, maybe a software firm with a mailing list, maybe a political research firm trying to put you in one likely-voter box or another — may have left it vulnerable on their own. And this happens often enough for a security researcher to make finding these exposures his speciality.
What’s more, there’s really not much you can do about it short of becoming a digital hermit.
A boom in breaches
Chris Vickery, director of cyber risk research at Upguard Security, has a simple theory for why he keeps finding databases open.
“I would say convenience is probably the biggest reason,” Vickery said during an interview at a coffee shop in this Sonoma County city where he works remotely for his Mountain View, California employer. “It’s easier just to have it open to everybody.”
At best, he added, some hapless employee doesn’t think they left the data exposed or believes nobody will stumble upon their attempt to ease telecommuting.
But the consequences of changing secure default settings in such cloud systems as Amazon’s (AMZN) AWS can go well beyond extra spam.
For example, the 13 million account credentials from the Mac-software firm Kromtech that Vickery found in 2015 could have been used to hack into other accounts “secured” with the same passwords.
The 6 million Verizon (VZ) wireless subscriber records Vickery found last month included some account passcodes that an attacker might have used to defeat two-step verification security that confirms strange logins with a one-time code texted to your phone.
(Verizon’s media division Oath owns Yahoo Finance.)
And the 87 million Mexican voting records he uncovered in 2016 could have been exploited by drug traffickers to compound the country’s plague of kidnappings and murders. Vickery recalled one immediate reaction: “You cannot let the cartels know about this.”
The 32-year-old’s work has won endorsements from other security researchers.
“Chris has been enormously effective at sniffing out exposed data left at risk in all sorts of obscure places,” said Troy Hunt, an Australian researcher who runs a data-breach index called Have I been pwned? that can reveal if your accounts have been exposed.
“The amount of data that comes back isn’t a ton, but it happens at a very, very fast rate,” he said.
At no point, he said, does he engage in hacking or impersonation of a legitimate user.
“If you have a password or a username set up, I’m not going to go any further,” he said. “I don’t trick anything.”
If a search locates apparently sensitive data, he will download a sample to confirm that it represents material that should have stayed private. He usually doesn’t bother looking for his own info, but he has not been amused when he finds it — such as in a leaked voter-registration database in 2016.
“I looked myself up just to see if it was legit, and it was all my data,” he recalled “I was pretty pissed.”
Hunt, the Australian researcher, recently met even more egregious resistance when a British firm selling family discounts for things like theme parks blocked him and others on Twitter for tweeting about its lax security.
“I used to start at the bottom, calling the receptionist or something,” Vickery said. “Now I’ll start with the breached data and then find the CEO’s home number and call him at dinner. That usually gets a faster response.”
Unhelpful responses and an unhelpful law
But a response accepting his findings can still come seasoned with denial. Vickery advised against trusting the common excuse that only he saw the exposed data — many companies don’t keep the access records needed to prove that claim.
“They can say that plausibly because they’re not keeping logs,” he said.
Vickery said he has also received the occasional legal threat, despite making a point of not using hacking tools to sneak into sites.
“No law enforcement agency has ever even suggested that what I do is illegal,” he said.
But the 1986-vintage Computer Fraud and Abuse Act applies such a broad definition of online trespassing that a company could feasibly try to sue a researcher like Vickery.
Will another round of data-breach headlines change that? We’ll probably find out soon enough, Vickery said. While consumers are now better educated about the scope of the problem, companies keep making the same mistakes.
“I think things have gotten better in the past couple of years as far as awareness goes,” Vickery said. “But the number of breaches happening hasn’t decreased at all.”
