Troy Hunt: The Delicate Balance in Data Breach Reporting'Have I Been Pwned?' Walks the Line Between Notification, Privacy
Troy Hunt's free breach-notification service, Have I Been Pwned?, logs tens of thousands of visits per day, particularly if there's been a major data breach making news headlines. His service enables people to discover if their email address - and by extension access credentials - have been compromised via breaches small and large, including leaks involving Adobe Systems (152 million credentials exposed), the Ashley Madison extramarital dating site (31 million credentials) and most recently, LinkedIn (164 million credentials).
But running such a service is not without its complications. For starters, there's a delicate balance to strike between informing the public and not divulging so much information that it could jeopardize people's privacy, says Hunt, who was scheduled to speak at the AusCERT computer security conference near Brisbane, Australia, on May 27.
Hunt launched Have I Been Pwned? in late 2013 as a resource for the public and organizations, but he's also a regular speaker at information security conferences and workshops around the world (see Top 10 Data Breach Influencers).
Hunt sat down with Information Security Media Group on May 25 to discuss how his views on data breach disclosure have continued to evolve, as well as to share his insights into LinkedIn's ongoing breach saga.
Analysis: LinkedIn Breach
Jeremy Kirk: So, what I think is interesting is that yesterday I received a notification from Have I Been Pwned? that my LinkedIn data was in the most recent release.
Troy Hunt: Congratulations.
Kirk: Thank you very much. And I haven't received any notification from LinkedIn yet.
Hunt: It's very interesting. I've had a lot of people say that and, in fact, my email address is in the breach, but I didn't get a notification. And I've heard various theories about why that is. One theory is that they're not sending it to people who have changed their password since 2012. Now, on the one hand, you could rationalize that by saying, "Okay, well these people no longer have a risk on LinkedIn." Yet, on the other hand, you've got this situation where people reuse passwords.
And they need to know, because inevitably they've reused that password from 2012 somewhere else. The other theory I've heard is that people who didn't have a password hash against their email address in the breach, which is the case for me - I have an empty record for the password against my name - didn't receive an email. But then you've got a situation where people say, "Well, I would actually like to know if my email address has been exposed, even if it's just my email address." And there might be a question there as well about what is the obligation of LinkedIn, under management disclosure laws as well, when someone does have even just their email addressed leaked in that fashion.
Kirk: So this LinkedIn breach is strange for several reasons. We had an initial breach in 2012 of about 6.5 million credentials and then suddenly 164 million. There are questions around why did this release happen now. Do you have any theories on why this big tranche of data might have been released just in the last few weeks?
Hunt: Well, I think the first observation there is, is that this is not highly unusual. It's not unprecedented. We've seen data in Have I Been Pwned? actually, of a very similar nature. We saw things like Moneybookers and Stella, the gambling sites, which were breached in 2009 and 2010, respectively. And that data only came to light at all just last year. So now we're talking like five or six years on.
What are the reasons that it happened? Well it might be that whoever exfiltrated this data to begin with has had some catalyst which has caused them to release this, so maybe they - maybe they want to get straight and they want to cash it in. Maybe they've traded it with someone else. Maybe they had it stolen from them. We really don't know. But clearly there has been some event which has caused this data which has laid dormant for that long to suddenly be out here in the world.
Game Changer: The Ashley Madison Breach
Kirk: You've made some interesting decisions over how you handled breaches, how people can search for them. One of the most prominent ones was Ashley Madison. You decided to put some limits on how people could access information. Can you describe a little bit more of what you're thinking process was at that time?
Hunt: Yeah, so if we think back to Ashley Madison, to be honest, I had the fortuitousness of having the luxury of time, in that, in July 2015, we had a statement from the hackers, saying: "Look, we've broken in, we've stolen all their things, if they don't shut down we're going to leak the data." And that gave me an opportunity to think about well, what would I do if 30 million accounts from Ashley Madison turned up? And I thought about it for a while, and I realized that this would actually be really sensitive data. And then I wrote a blog post after the announcement but before the data was public, and said look, if this data does turn up, I want it to be searchable in Have I Been Pwned?, but I don't want it to be searchable by the people who don't have a client address.
So what I did then was I made sure that I had the mechanism in place, such that if that data hit, you could go and subscribe to the notification system and then search once you verified your email address. So you've got to receive an email at the address you're looking for. You can't go and check your husband's account or your employee's account or your parent's account or anything like that.
Kirk: Now with some of the other data that's been leaked, you can do that, right? Through the API?
Hunt: Yeah, correct. And this is sort of a thing I still give a great deal of thought to, because, effectively, I'm making judgment decisions on what should be publicly searched and what shouldn't. And often I'll get people say, "well, you know, shouldn't everything not be publicly searchable?" Because as it stands at the moment, you can go and publicly search for if someone has, say, a LinkedIn account. Now LinkedIn's probably a good example of one end of the opposite extreme to what Ashley Madison is. And there, I'm sort of trying to say on the one hand, I want this information to be discoverable by people in the easiest possible way.
Inside the VTech Incident
Kirk: You made another interesting decision with the VTech breach, which was the Hong Kong toymaker that saw identities of children who had registered for their services released.
Hunt: With VTech, this was a little bit unique in that we had someone hack into VTech, suck out 4 million-plus parents' data, hundreds of thousands of kids' data. The [hackers] decided they should do this in order to help VTech understand they had a security vulnerability. So rather than contacting VTech, they thought we'll just illegally exfiltrate huge amounts of data and then we'll send it to a reporter, which is just unfathomably ignorant. But anyway they did that. They sent it to the reporter. The reporter then gave it to me to verify so that they could swirl a story out of it. And I subsequently put it in Have I Been Pwned?.
The one thing that everybody wanted is to be sure that this data was never going to go any further. And, from my perspective, really, it just didn't make a lot of sense to me to have it anymore. You know, there was no more ongoing value, particularly when VTech assured me that everybody in there had been individually contacted.
Kirk: So, it seems like every time you encounter a breach, there are these nuances that challenge whether you should put the data into Have I Been Pwned?.
Hunt: There are always nuances, right. And every single incident including this LinkedIn one will make me stop and think "Is this the right thing to do?" So LinkedIn made me stop and think for multiple reasons, and one of them is just purely mechanical. There were about 164 million unique email addresses. It's not easy loading that into the data structure that I have.
The Future of Passwords
Kirk: A final question for you. Do you think we're going to be using passwords in 2026 - or even in 2036?
Hunt: Now that's exactly the question people were asking 10 years ago. "Are we still going to be using passwords in 2016?" What do you think? Yes. I think it will continue to evolve. We look at it today, and we're using a lot more social log-ins. So we still have passwords, but we will have less of them, and there are services that are meant to protect them. We have further ways of verification as well. We have noticed that verification now, on many different services, including LinkedIn. That is sort of heading us in the right direction. We have biometrics that we can use more extensively.