The politics of ‘Have I Been Pwned’

Data breaches are not created equal. Business leaders and security managers must beware the dangers of FUD and hype created around notification of old breaches.

1 volume of data breach pile of paper confidential documents
Getty Images

Last week a new data leak dubbed “Collection 1” appeared online, exposing 773 million hacked email accounts and their credentials. The leak was reported by security researcher Troy Hunt and subsequently picked up by major news outlets across the globe.

Understandably, a breach of this size is a cause for alarm. Digging deeper, however, one finds that this is an aggregated leak of previous breaches ranging from 2-3 years old. Speaking with Stan Bounev of VeriClouds, it was learned that over 90% of the data from Collection 1 already existed in his database. Similarly, Brian Krebs, who spoke with Alex Holden of Hold Security, reported that he previously gathered 99% of the data from this leak from other sources.

This isn’t the first time that an aggregation of leaked sources surfaced online. I wrote in December 2017 that “a more nuanced conversation is required to understand the risks that this interactive database poses to organizations” upon news of 1.4 billion compromised credentials being leaked and shared on the dark web.

Journalistic reporting on data breaches and generating FUD and hype about old news and previous breaches is a recurring theme of Troy Hunt and Have I Been Pwned (HIBP) that raises the specter of being compromised. The trend is even more disturbing after having several encounters with Hunt loyalists, including members of the press.

During a meeting last summer with a Director of Threat Intelligence and Incident Response of a major US technology corporation, a comment was made that “I don’t know of any white hat security researchers other than Troy Hunt.” More troubling was an email I exchanged with a journalist from a prominent technology news outlet. Upon offering to brief him on modern credential-centric threat intelligence capabilities, he replied: "If it’s not from Troy Hunt, I don’t trust it.” He later blocked me on Twitter after I pointed out what a closed-minded thing to say that was and that it wasn’t the sort of view I would expect to hear from a prolific journalist.

 Are fixed mindsets and personal biases affecting the quality of journalism today?

We are all victims now

It would seem while observing the reaction of mainstream reporters and followers of Hunt’s breach notification, that there is an element of surprise or even shock that such massive data leaks exist and are circulating on the dark web and online. The danger in this mindset – and relying on free breach notification services – is that it puts the consumers of such journalism and services in a reactive posture instead or a proactive one.

It is no longer enough to answer the question, “Has my email been compromised or found in a data breach?” Leading security practitioners assume a state of breach. Forward-thinking organizations have begun adopting credential-centric identity threat intelligence solutions that help answer the question, “How at risk are my users and is my organization to the risk of compromised credentials?”

In the wake of recent breaches like Equifax, Facebook, Deloitte, Quora Yahoo (and others) it is clear that we are all victims now. I am reasonably convinced that my email accounts and recycled credentials have spilled onto the dark web, through one breach or another (e.g., generic indicators of compromise).

How much better would user experience be if, instead of displaying warnings for every email account breach notice, logins were blocked, and password resets forced only when specific indicators of compromised were verified?

In the post-breach world that we live in, it is critical for identity and access management systems to be able to detect and respond to real and verifiable credential-centric risks without any human intervention and filter out the noise of breach notification warnings.

Troy Hunt is not the only security researcher

While collecting my thoughts and jotting down notes for this article, I summarized it for my wife while driving between Seattle and Spokane Washington. She informed me that an article about Troy Hunt and HIBP showed up in her news feed and that she scanned the article reporting on a massive data breach. I then asked her, “Did you happen to read my latest article for CSO Online?” and I was disappointed to hear that she did not.

In light of the preferences expressed by many folks for Hunt and his breach notification, I doubt that anyone would ever get fired for citing his research or using his APIs in their projects. By his own admission, Hunt spends about four hours per week maintaining his free service. Biased reporters seeking to increase their views and celebrity researchers like Hunt have done more to promote themselves than to educate their audiences about effective identity and digital threat protection solutions readily available on the market today.

There are thousands of professional security researchers working at well-funded start-ups and large companies globally who work tirelessly and without fanfare. These same researchers, some of whom I have had the pleasure of working with, don’t always receive recognition or publish their findings at all, but dedicate their careers to fighting cybercrimes, preventing financial fraud and saving democracy itself.  

These are the same researchers and security engineers whose contributions make it into the products and services that we use every day, and whose life work and dedication are worthy of a gold medal. Just because Hunt was the first to report on a data breach doesn’t mean he was the first security researcher to discover the breach. It just means he was the first to publicly report on it, which isn’t saying a lot in the economy of data breaches.

Commercial alternatives deserve consideration

Modern credential-centric threat intelligence services enable organizations to realize some of the benefits of the Gartner CARTA model for unprecedented visibility and risk management and help public organizations to satisfy NIST SP 800-63 guidelines. Organizations interested in being more proactive with their response to and remediation of compromised credentials should consider solutions like Blackfish from Shape Security, which autonomously identifies stolen passwords before the original data breach is reported or even detected according to its website. Organizations can consider CredVerify from VeriClouds, which provides visibility into more than 90% of the leaked databases on the dark web according to its website. [Disclaimer: I was formerly the CEO of VeriClouds.] Alternatively, an organization can also consider IDLake from 4IQ, which helps customers to scale with better data and more attributes, according to its website.

Commercial solutions offer customers access to economies of scale, privacy by design and coverage of dark web data that is just not available with free services today. HIBP is now mostly irrelevant due to the sophistication – with help from artificial intelligence and automation – that modern identity and digital threat intelligence services have developed and brought to the marketplace.

The stakes could not be higher. How many calls does your help desk receive each day requesting help with resetting problematic and compromised passwords? How much time and labor would it save your company if that number was cut by 50% by using a commercial identity threat protection suite? Would you rather invest the six figures now to improve your detective and corrective controls, or pay seven figures later in fines and recovery costs after a data breach that can have long term impact on reputation and financial performance?

I don’t know about you, but I’d rather allocate budget to invest in engineering resources and proven scalable solutions for my organization than donate to HIBP and help Troy make his next boat payment.

This story, "The politics of ‘Have I Been Pwned’" was originally published by CSO.