RSA Conference: Lessons from a Billion Breached Data Records


SAN FRANCISCO — Troy Hunt sees more breached records than most of us, running the popular ethical data breach search service "Have I been pwned." In a session at the RSA Conference this week, Hunt entertained the capacity crowd with tales both humorous and frightening about breaches that he has been involved with.

One of things that Hunt said he is often asked is exactly how he learns about so many breaches. His answer was simple.

"Normally stuff just gets sent to me," Hunt said.

He emphasized that he doesn't want to be a disclosure channel for breaches, as that's not a role he wants to play. Rather his goal is more about helping people to be informed and protect themselves.

While he is sent information by various tipsters, not everything he is sent is actually real. Hunt said that a real challenge is finding out what is real and what is not.

"Very often the information I'm sent is not real," Hunt said.

So how does Hunt verify that data breach information he is sent is real? There are several different steps he takes. One of the simplest is to take one of the email addresses in a given data breach and try it out on the password reset form of the allegedly breached web site.

If the password reset works, then the breach could be real. The same approach can work with user registration pages if no password reset account page is present. As such he will try and enter the same email found in a breach as a new user, but if the system already says that user is in the system, that's another indicator the breach information could be legitimate.

Hunt also will reach out to affected companies, which he noted typically aren't too happy to hear from him. When organizations do respond to him, sometimes the replies aren't quite what he expects. One example he cited is Lifeboat, which is an online Minecraft server site that was breached in April 2016. The site's ownership responded to the breach by saying they were in fact aware of the issue, had been aware of the issue for months and had actually silently reset user accounts. That's an approach that Hunt doesn't advocate.

"Not disclosing puts people at risk," Hunt said, "since people will take passwords and use them in other places."

Data breach lessons

Hunt said having proper perimeter defenses in place is critical, including detection controls. He also strongly suggests that organizations be prepared to receive vulnerability reports from security researchers. To that end, he is also an advocate of bug bounty programs that reward researchers for responsibly disclosing security vulnerabilities.

It's also important to have an incident response plan in place to know what needs to be done in the event of a data breach.

The key lesson that Hunt has is that everyone should be prepared to be breached. As such, don't hold onto data that you don't need in the first place.

"You can't lose what you don't have," Hunt said.

Sean Michael Kerner is a senior editor at eSecurityPlanet and Follow him on Twitter @TechJournalist.