Running Have I Been Pwned (HIBP) has presented some fascinating insights into all sorts of aspects of how data breaches affect us; the impact on the individual victims such as you and I, of course, but also how they affect the companies involved and increasingly, the role of government and law enforcement in dealing with these incidents. Last week I had an all new situation arise related to that last point and I want to explain it properly here so it makes sense if someone finds themselves in this data breach.
I was contacted by the Cybercrime Bureau of the Estonian Central Criminal Police who were after some assistance notifying individuals impacted by a number of different breaches. They suspected that a significant volume of the credentials obtained in these incidents have been used to access mailboxes, cryptocurrency exchanges, cloud service accounts and other similar online assets. It's an ongoing investigation so they can't go into details about the incidents themselves, but they do have a strong suspicion that the accounts breached from these incidents are likely being compromised in other locations where passwords have been reused. They went on to explain what they believe the primary motivation of these attacks is:
We suspect that the main modus operandi was to log into cryptocurrency platforms or look for wallet information in mailboxes and transfer the money to perpetrators accounts
The Estonian Police elected to reach out to me and provide the data via HIBP as they can no longer be sure the legitimate owners have access to the impacted email accounts. They also don't want to set a precedent of sending emails of this nature to citizens as they would very likely be replicated in phishing attacks. With the data now loaded into HIBP, they'll be broadcasting the address of the site and suggesting people search there to assess their exposure. In total, there were 655k records affected that are now searchable.
Obviously the same fundamental security advice many of you already know applies: create strong, unique passwords (get a password manager) and enable 2 factor authentication on everything that supports it (check out twofactorauth.org for a full list). Definitely do that if you find yourself in this breach, but equally do it now if you're not already following these fundamental principles.
If you find your email address in this incident and also identify that cryptocurrency has been stolen, please contact the Cybercrime Bureau of the Estonian Central Criminal Police at email@example.com.