- 7 weeks ago
People and companies get hacked all the time. Corporate secrets, credit card numbers, password to your email, your medical information—even your Netflix login might get stolen. But where does that data go once it's been stolen? Today, WIRED's Andrew Couts takes a deep dive into the hacked data economy.
Director: Efrat Kashai
Director of Photography: Mar Alfonso
Editor: Matthew Colby
Host: Andrew Couts
Guest: Troy Hunt
Camera Operator: Jeremy Harris
Gaffer: Salif Soumahoro
Sound Mixer: Sean Paulsen
Production Assistant: Shanti Cuizon-Burden
Post Production Supervisor: Christian Olguin
Supervising Editor: Eduardo Araujo
Assistant Editor: Andy Morell
Director: Efrat Kashai
Director of Photography: Mar Alfonso
Editor: Matthew Colby
Host: Andrew Couts
Guest: Troy Hunt
Camera Operator: Jeremy Harris
Gaffer: Salif Soumahoro
Sound Mixer: Sean Paulsen
Production Assistant: Shanti Cuizon-Burden
Post Production Supervisor: Christian Olguin
Supervising Editor: Eduardo Araujo
Assistant Editor: Andy Morell
Category
🤖
TechTranscript
00:00People and companies get hacked all the time. Corporate secrets, credit card numbers,
00:04password to your email, your medical information, even your Netflix login might get stolen.
00:09But where does that data go? Today we're doing a deep dive into the hacked data economy.
00:13We'll also speak with Troy Hunt, founder of Have I Been Pwned,
00:16a tool that lets you know if your data has been breached. This is incognito mode.
00:19There are a few types of hackers. There's state-sponsored hacking groups, or advanced
00:30persistent threats. There's hacktivists, and then there's criminal hackers. State-sponsored hackers
00:35are typically going to be hacking for espionage, blackmail, purposes that serve the state that
00:40they're sponsored by. There's also hacktivists, which go after companies or other organizations
00:44that they have some problem with. Think a weapons manufacturer or a police department. And then
00:49there's criminal hackers. These types of hackers are pretty indiscriminate. They'll go after any
00:53system where they can steal data and then make money from that data in one way or another.
00:57What happens to your data after it gets stolen really depends on who did the hacking. If it's
01:01a state-sponsored hacker, we might not know what happens to that data. Because state-sponsored hackers
01:06are acting on behalf of their own government, the data often goes into a black box. And as an outsider,
01:11it's really hard to know what happens to that data. One of the largest data breaches in history,
01:15it happened at Equifax, the company that tracks all your credit cards and mortgages to determine
01:20your credit score. In the case of Equifax, tens of millions of people's data was stolen,
01:25but we've never seen that data surface online. Sometimes the data is leaked. Think Russia's
01:29hack of the Democratic National Committee, which had all its emails published online. A U.S.
01:33government investigation into the Russian hack of the DNC found that one of the main reasons for
01:38the breach was to release the data and cause chaos in the U.S. political system. We don't know if they
01:42did anything else with the data as well. In the case of a breach by hacktivists, the hackers will
01:47often steal the data and then share that with journalists or maybe just post it themselves
01:51online. Notorious hacking group Anonymous has declared war on Russia. Russian government,
01:57Russian military records being dumped out onto the internet. The goal is really to embarrass,
02:02shame, and cause problems for whatever entity that they've hacked. Hacks by cybercriminals are probably
02:07what you think of when you think of getting hacked. When criminal hackers break into a system,
02:10they'll often steal as much data as they can. Think credit card numbers, your email and passwords,
02:16your medical information. From there it gets sold and traded to other criminal hackers. And by the
02:20time you know that your credit card has been stolen, it may have been posted online multiple times.
02:24While any hacker might post information online, it's a criminal hack where you'll most likely see your
02:28information exposed. So if you go to a website like Have I Been Pwned and see that your information was
02:33breached, it was probably a criminal hack. Some state-sponsored hackers blur the lines and get into
02:38criminal hacking. North Korea, for example, is involved in billions of dollars worth of theft of
02:42cryptocurrencies either through ransomware attacks or hacking crypto exchanges directly. It's widely believed North Korean
02:48hackers use the stolen money to fund the government, including its nuclear weapons program.
02:55There are two main ways that criminal hackers make money. One is selling your data and the other is ransomware.
03:00First, we'll talk about ransomware. Ransomware is a type of malware that allows a hacker to go into a system,
03:05steal the data, and then encrypt the system so it's unusable. You'll often see hospitals,
03:10government organizations, and other entities that need to function get targeted by ransomware.
03:15They'll say, if you don't pay me, say, 200 Bitcoin, we're going to leak your data online. When we're
03:20talking about medical information or financial information, this is really sensitive and could
03:24be extremely damaging, not just to you, but to the organization itself. A victim organization typically
03:29has two choices. They can either pay or not. If they choose not to pay, and the hackers do leak the data,
03:34the victim organization is just going to have to deal with the fallout from that and likely have
03:38to have some type of way to mitigate the attack and get back online and continue their operation.
03:43The other option, which experts highly advise against because it encourages other ransomware
03:47attacks, is to pay the ransom. This happened to Change Healthcare when in 2024 there were victims of
03:52a ransomware attack and ultimately paid 350 Bitcoin, or around 22 million dollars, to the hacker group.
03:58Unfortunately for Change Healthcare, a second hacker group got its hands on the data and appeared to post it
04:03online. So even though Change Healthcare paid a fortune to keep their data from getting leaked online,
04:08it still happened and they didn't get much out of it.
04:12Another way hackers make money is by just selling your data online. So what does that mean exactly
04:17and what does that look like? So if your data is sold, it's often packaged together, auctioned off,
04:22and paid for. This is a massive underground economy and what we call the hacked data pipeline.
04:26Newly stolen data often first appears in private groups like hacker networks, forums,
04:31and group chats before it ever hits the open market. You can think of this as the wholesale
04:35distribution step, where hackers share the data with trusted sources and try to unload it all at
04:40once for a huge sum. From there, the data makes its way to dark web marketplaces. The dark web isn't
04:46searchable with normal tools like Google, and you have to use a special browser called the Tor Browser
04:50to access dark web sites. Tor Browser is just like any other browser, except it protects you against
04:55surveillance and censorship when surfing the internet. It was developed to make it difficult for people to know who you
05:00are and what sites you're visiting. Dark web marketplaces provide anonymity for both sellers
05:05and buyers, making it ideal for cyber criminals. Hack data is also used to build tools to help protect
05:10people who've been affected by breaches. One of these tools is Have I Been Pwned? Troy Hunt, thanks for
05:15joining us. For somebody who's never like been on one of these kinds of forums, what does that look like?
05:19Well, they look just like a forum to comment on cats, you know? There's threads and comments and reputations,
05:25and everyone's trying to be anonymous. It's a very recognizable environment. You've just got people there
05:30talking about crimes and exchanging personal data for their own benefit. What would you say is kind of
05:37the most sensitive data that ends up getting shared in these databases? So we categorize somewhere in the order
05:42about 150 data classes, so different types of personal information. And by far, the number one most prevalent is email address.
05:49Passwords are still enormously prevalent as well. Usually not in plain text these days. They're hashed
05:55and protected to one degree or another. And after that, the most common attributes are things like name,
06:00phone number, physical address. But then if we go all the way through to the most sensitive end, we get
06:04anything from, say, government-issued IDs, so things like a passport, a driver's license, through to the
06:10things that are deeply personal, like health data, and all the way through to sensitive topics about the
06:16desires that you have in the bedroom. And something like Ashley Madison is a good example of that.
06:20There are dozens of marketplaces for stolen data. Some of them include Sticks Market, Brian's Club,
06:26Russian Market, and Biden Cash. Some of these marketplaces have tens of thousands of listings.
06:31Often your data will be sold there alongside things like drugs, counterfeit items, or other cybercrime tools.
06:37Market prices for your data vary, but some are surprisingly cheap. For example, the details for a credit card with
06:42a $5,000 balance can go for as little as $110. A Netflix login could cost somebody as little as 10 bucks.
06:49Things like credit card info are usually sold in bulk, but for higher value data like corporate secrets,
06:54they're often auctioned off the highest bidder. Marketplaces are often controlled by groups or
06:58individuals based in Eastern Europe or in other areas that don't have extradition treaties with the
07:02United States, like Russia or China. As you can imagine, most sales on dark web markets are made using
07:07cryptocurrency, which make it much more difficult to trace than something like a credit card or PayPal.
07:12Stolen data is often sold to other cybercriminals who use it for identity theft, taking over social
07:17media accounts, medical fraud, and more. Stolen emails, usernames, and passwords are often used
07:22for something called credential stuffing. This is when a cybercriminal tries a username and password
07:26on a bunch of different sites or services and tries to hack in. This works because people very often
07:31reuse the same password over and over again, allowing a criminal to get into an account even if they
07:35don't really know what the password is. So if the cybercriminal buys the login for your email address,
07:40they might then use that information to get into your social media accounts, message all your friends,
07:44and ask for money. They could also do something more straightforward like get into your bank account
07:48and then just wire themselves all your money. Your stolen information can be used to open fraudulent
07:52bank accounts, apply for loans, or commit tax fraud. Your medical information might be used for
07:57insurance scams or to get prescription drugs. Once your information is posted online, it can be sold
08:02and resold and used by multiple hackers before you even know it's stolen. That means the hacker that stole your
08:07data isn't necessarily the same person who's putting fraudulent charges on your credit card.
08:11Even if the information is stolen is really basic, like just your name and your email address and
08:15phone number, that can still be used for phishing attacks in which cybercriminals send malicious
08:19links and get people to download malware. It can also be used to target you for scams. So if your
08:24phone number is leaked, scammers might have you on a list and text you trying to get you to send the money.
08:29You've been in this world doing this work for more than a decade. How would you say things have
08:38changed since the early days in terms of either the types of data, the frequency of breaches?
08:43The things that I have clearly seen change is, for example, the way passwords are protected. If we go
08:49back to data breaches from 2012, LinkedIn, Dropbox, for example, the way the passwords were protected then
08:54and the hashing algorithms they used are not things that we see very often today. Certainly not with any
08:59sort of large significant organisations. Over the course of time, we've definitely seen
09:04different attack vectors, so different ways in which data has been obtained, very frequently
09:09because different platforms have either gained popularity or there's been common vulnerabilities
09:14or misconfigurations. There was a while there where there was lots of MongoDB that was exposed,
09:18and then there was a lot of Amazon S3 buckets exposed, and then a lot of Elasticsearch
09:22instances exposed. So we're seeing that sort of vector change, but we're not really seeing the fact
09:28that there's millions, hundreds of millions of email addresses and personal information
09:33appearing in data breaches every day. Do you feel like the public understanding of
09:37cyber security and cyber security practices has changed? Consumers, if anything, I feel are
09:42developing a little bit of apathy, where they're just like, ah, is this another data breach? Until
09:48something actually stings them in some way and they actually lose some money or there's a tangible impact
09:54their privacy. We feel that there's probably not a lot of impact on consumers or not a lot
09:59of things that are changing, and we're hearing this term a little bit of data breach fatigue.
10:03For organisations, it's a tricky one. I feel organisations are increasingly standoffish
10:10when it comes to data breach. I'm finding very, very often they're not disclosing to individuals,
10:15and usually they have a legal right not to disclose to individuals as well. They're particularly skittish
10:21about things like class actions. It just seems like every data breach of any significance that
10:26happens, regardless of what the actual impact is on individuals, literally the next day there's a
10:31law firm doing a class action. And I think organisations are adapting their behaviour to
10:36disclose much less information just due to fear of being then used in legal proceedings.
10:42So what can you do? Well first, if you're notified of a breach and your data was stolen,
10:46make sure to change your password and not use that password anywhere else. In fact, the best thing to
10:50do is use a password manager. This allows you to create unique, difficult to crack passwords across
10:55every app and website you use. That way, if a hacker gets access to one password, they can't use it on
11:01another account. Even if you learn about a breach that happened months or even years ago, that data is
11:05still out there and the hacker or some other person might use that data in the future. Make sure to freeze
11:10your credit. If you're part of a breach where a lot of personal information that can be used in financial
11:14fraud is stolen, if someone takes out a credit card in your name and never pays the balance, which of
11:19course they're not going to do, it's not going to tank your credit score and prevent you from getting
11:22loans or credit cards in the future. You'll also want to get credit monitoring services so that you'll
11:27be alerted if somebody tries to open an account in your name. Another key step in practicing good
11:31security is to use multi-factor authentication everywhere it's available. It's important to use a
11:36tool that's trusted like Google Authenticator or a YubiKey, otherwise your data might not be as safe as
11:41you think it is. Try to avoid SMS-based two-factor authentication. And finally, always aim to use
11:46apps and websites from companies that have a good security track record. This will reduce the chance
11:51that your data will get stolen in the first place. The fact of the matter is, if your data hasn't
11:55already been stolen, it's probably going to happen at some point. But even if it is, it's still important
11:59to take steps to protect yourself because there can always be another breach that exposes more data
12:04and creates more risk for yourself. This has been Incognito Mode. Stay safe out there.
Be the first to comment