Mastodon

Data breach claims are often poorly researched, unsubstantiated and ultimately fake

I have multiple Yahoo data breaches. I have a Twitter data breach. I have Facebook data breaches. I know they are data breaches from those sources because people told me they are, ergo, they're data breaches. Except they're not - they're all fake. Problem is though, fake data breaches don't make for a very good headline nor do they give you something worth trading; for many people, it's not in their best interests to establish what's fake and what's not.

Earlier this year I wrote about how I verify data breaches and gave an example of Zoosk, the "data breach" that turned out to be anything but. It would have been easy for me to loads the tens of millions of records from the alleged breach into Have I been pwned (HIBP), got myself some press and sent out a bunch of notifications to (very confused) subscribers, but that would have unfairly implicated the company and frankly, that's just irresponsible.

The catalyst for this blog post was an investigation I did last week into an alleged data breach from dfb.de, a German soccer site. I was sent a file with several million records and one of the first things I did was look online for existing references of an incident. Vigilante.pw is often a good resource and I found it there:

Vigilante.pw

Edit: Vigilante.pw has now removed the DFB entry.

Someone else sent me through a list of breaches I might be interested in which also included it:

Another list of breaches

It even turned up in a tweet sent by my mate Dez Blanchfield just a couple of days ago:

Popular belief as far as those dealing with the data are concerned is that DFB was hacked and there are millions of records floating around which people are now trading. But when you actually make an attempt to verify the data, a very different story emerges. None of the publicly available mechanisms I referred to in that verification post were checking out, so I started emailing HIBP subscribers who were in the "breach". Let me share their responses:

as far as I remember I am not using my email there

Not as emphatic as I'd like, but it was the beginning of a pattern. Here's another one:

I was never a user of dfb.de (Deutscher Fußball-Bund) as far as I remember

Yes, these are two completely different people despite the similar language used. Here's another one:

as said, i do not remember myself to ever registered/signed up of the site you mentioned.

And another:

this must be a mistake. The site does not ring any bells with me nor am I a soccer fan

Then this one:

I don't recall creating an account with the DFB

The last one articulates what probably happened very well:

no, I think this was made up by someone. I didn't have an account there and I never used such a password.

Someone else actually offered another means of verification:

a friend of mine has an old, still working account that you could use for verification

Yet as with every other check to date, it came up blank - the email address wasn't in the data. However, there were some responses that said the password snippet I gave them from the file could have been legitimate (I'd send a partial password, just a few letters). We often see situations where one breach is re-branded as another so there can be traces of legitimate data in there, but that doesn't necessarily prove the source of the incident and clearly in this case, the source was not DFB.

Until verified by the company itself or a trusted party, take claims of breaches with a grain of salt. Nefarious individuals often have vested interests in making headlines and misrepresenting events. Particularly when hiding behind the veil of anonymity, the potential ramifications of slander tend not to be something people worry about. That is a valid worry for any legitimate organisation or individual: unfairly claiming a company has security vulnerabilities can cause serious reputation damage and lead to legal repercussions as MedSec is presently experiencing. If someone is not prepared to put their name to a data breach claim, that's an immediate red flag.

When you see sensationalist and unsubstantiated headlines like If You Use One Of These Popular Internet Services, You Need To Change Your Password Right Now, treat them the same way as you should Facebook friends who post updates about something scary all in caps and encourage you to share it with all your friends: berate them appropriately and above all else, don't spread the FUD.

Security Have I Been Pwned
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals