Updated: March 17, 2020
Cyber security breaches often go undetected—until a service department hears a customer complaint, an individual notices funds depleted from their bank account, or other unfortunate consequences come to light.
Before these breaches unravel into your worst nightmare, vulnerable data often originates in the form of an unindexed, public post:
Pastebin email dump - we blurred addresses to protect identities
This screenshot shows a classic example of a public email dump. Finding personal information like executive emails on a site like Pastebin is often early evidence of a data breach—but it can be unclear why that information is there, and how exactly cybercriminals exploit it.
This article explores a number of secondary consequences of breached data and how discovering its early traces is one of the best strategies for preventing and mitigating a breach.
What Information Is Breached Online?
Breached data usually boils down to one of two categories: personally identifiable information (PII) and private documents or other non-personal, proprietary information.
Personally identifiable information includes:
- Full names
- Email addresses
- Security question answers
- Home addresses
- Phone numbers
- Dates of birth
- Social security numbers
- Drivers license numbers
- Financial credentials (e.g. CC numbers, online banking logins)
- Insurance policy numbers
- Personal health information
- PII from friends and family members
Examples of non-personal breached data includes:
- Classified government documents
- Internal company information, such as trade secrets or business relationships, plans, or blueprints
- Proprietary source code and other intellectual property
PII is typically discovered by hacking into a vulnerable system, either through a computer or a person (more on social engineering below). Hacked PII is also easily accessed for free on unindexed websites like Pastebin and DeepPaste (on the dark web) or bought and sold on dark web marketplaces.
PII can also be unintentionally exposed by individuals on social media. If your go-to security question is “What is the name of your favourite pet,” this information is easily discoverable if your public Instagram feed is full of dog pics. It’s surprisingly common for people to post images of PII without understanding the associated risks (e.g. posting a student ID in a celebratory “back-to-school” post).
A user exposes their full name, address, and life insurance policy number publicly on Flickr—discovered using Echosec.
Once this information is obtained, how is it exploited?
8 Ways Attackers Exploit Breached Data
There are many strategies used to exploit breached information, and cybercriminals constantly adapt their methods to surpass security measures. Many of these data breach consequences fall under the umbrella of “identity theft,” the act of illegally exploiting another’s personal data for financial gain or another benefit. The following are some of the main ways this information is leveraged—including trending tactics like SIM jacking.
According to IBM’s 2019 Threat Intelligence Index, finance and insurance are the most targeted industries by online security threats. This makes sense, given that accessing private financial details is the most immediate way to monetize a person’s identity. Children are often identity theft targets, as they don’t have any existing information, such as credit history, linked to their SSNs.
The most obvious method of exploiting PII is to cash out a person’s bank account. Executives and other VIPs are highly targeted as they usually have higher balances. There is a massive market for breached bank account logins on the dark web, giving criminals direct access to an individual’s savings and credit. Financial PII is also used to:
- Set up bank drops. Bank drops are legitimate-looking accounts used to hold illegally-obtained funds, establish fake credit scores, and secure fraudulent loans.
- Create counterfeit debit cards, credit cards, and cheques in another person’s name. These cards can be quite sophisticated, with mag stripes and security features built-in.
- File another individual’s taxes and claim the return before the legitimate taxpayer does.
- Purchase medical care or prescription drugs available under another person’s insurance policy.
A guide for using PII (“fullz”) to commit tax fraud for sale on the dark web—discovered using Beacon
Illegal Immigration & International Crime
Identity theft enables individuals to illegally cross borders. There are thousands of dark web marketplace listings for stolen documents and cloned ID services illegally distributing passports and work permits. These are largely targeted to refugees and other individuals illegally establishing residence. In extreme cases however, fraudulent IDs could enable espionage or terrorism in a foreign country.
Cybercriminals can use breached company information to strengthen phishing email strategies. Fraudsters pose as a reputable individual, such as a company executive, to request certain information or actions from the email target (often an internal employee). Phishers use executive PII to legitimize requests and establish trust with the target, increasing the likelihood of a successful cyber attack.
Credential stuffing is a method of automating the login process to multiple accounts using breached emails/usernames and passwords. Any further information contained within those accounts is then vulnerable.
This allows bad actors to gain access to thousands or even millions of accounts, depending on the size of the breach. A mega breach of 1 million records costs organizations USD $40 million on average. This number of breached user accounts can grow even further if individuals reuse the same password for multiple accounts. A 2019 Google survey found that this was the case for two-thirds of its 3,000 participants.
Account logins breached on DeepPaste, a dark web paste site—discovered using Beacon
Black hat hackers are commonly depicted as hooded computer users alone in a dark room—an image more associated with technical skills than social ones.
In reality, human error and emotional vulnerabilities are much easier to “hack” than computers. All it takes is a little psychology know-how, some social manipulation skills, and practice.
“Here is an easy, step-by-step process for hacking a computer:
1. Ask the operator for the password.
2. Sign in.”—from What is Hacking? How Does it Work?
Customer support departments in a variety of industries usually request full names, dates of birth, SSNs, mailing addresses, or phone numbers to verify customer or employee identity.
Those identifiers might seem innocuous on their own, but they’re all a hacker needs to gain account access, change user settings, and use social engineering to divulge more PII from the agent.
Social engineering tactics are often used to perform more specific types of cybercrime. SIM jacking, also called SIM swapping, is the act of transferring an individual’s phone service provider account to a SIM card in the hacker’s possession. This gives the hacker access to any accounts linked to that phone—such as banking app logins and social media accounts.
SIM jackers do this by finding an individual’s phone number and using social engineering or bribery to switch the account to a new SIM card. If they have access to more breached PII, such as date of birth, account number, or security question answer, the request is even easier to make.
Doxxing and Hacktivism
Doxxing is the act of breaching an individual’s PII as a form of online harassment or revenge. A comprehensive doxxing breach typically includes an individual’s full name, address, contact and workplace information, accounts, PII for their friends and immediate family members, and reasons for the dox.
Individuals are doxxed for a variety of reasons. Sometimes targets are criminals themselves, but they are often innocent targets of hacktivism. For example, executives, law enforcement, and other VIPs are often targeted by online groups with extreme political stances. Doxxes are valuable for hackers looking to leverage PII using any of the methods described in this article—especially due to the extensive nature of the information breached.
CEO dox on Pastebin.com—discovered using Beacon
Exposing Non-PII Vulnerabilities
As mentioned earlier, PII isn’t the only data susceptible in an attack. Internal company information, proprietary source code, intellectual property, and classified public service documents are other examples of vulnerable information.
Dark websites and paste bins are often used to share breached code. Bad actors can use this to identify vulnerabilities and learn how and where to hack into systems. Other breached information, such as business plans and strategic relationships, could affect a company’s global reputation and partnerships. Documents related to government, like defence plans or building blueprints, could have serious public safety and global security ramifications.
Another DeepPaste post offering classified military documents—discovered using Beacon
Respond to Data Breaches Faster
The key to mitigating a corporate data breach is catching the attack in its early stages. This is where finding vulnerable PII and other breached data on the surface, deep, and dark webs becomes critical to an organization’s security strategy. For example, finding internal company email dumps on Pastebin or leaked data on a dark web forum could signal a security team to investigate system vulnerabilities and prevent the situation from escalating.
The problem with finding breached data is that deep and dark websites hosting this information are unindexed by common search engines. This makes relevant information extremely time-consuming and potentially dangerous to find. For example, Pastebin, a valuable source of breached data on the deep web, requires specialized tools to efficiently search.
Beacon is the Echosec Systems Platform's data discovery tool for the deep and dark web. The tool allows users to efficiently find PII relevant to their organization on a variety of unindexed sources that could signal a system intrusion early on.
Beacon automatically separates data from common paste sites into a "Documents" tab, and information from current breached data repositories into a "Breaches" tab. This feature enables easier search navigation so you can find relevant breached entities as soon as they appear online and respond faster.
According to a global 2018 report by IBM and the Ponemon Institute, the average cost of a data breach totals USD $3.86 million—and then there are immeasurable costs of violating customer and stakeholder information security and eroding brand reputation. Breached information is vulnerable to a variety of secondary consequences, including various forms of identity theft and other physical and data security threats.
Data discovery tools enable organizations to quickly find early indicators of breached data on paste sites and other unindexed areas of the web. Security professionals can then mitigate risks and adapt security strategies faster to avoid future cyber threats and secondary consequences.
Want to learn more about data breach discovery solutions? Contact us today.