The impact of “Have I been pwned” on the data breach marketplace

I’ve been running “Have I been pwned?” (HIBP) for just over a couple of years now and to say that it’s exceeded my wildest expectations of what it might achieve is somewhat of an understatement. The volume of data it now holds is one thing, the many hundreds of thousands of notification subscribers is another and yet another again is the volume of traffic it serves, sometimes in the millions of visitors a day. But recently, the penny has dropped on something else it’s managed to achieve that I never expected; it’s impacting the market price of breached data.

Identities are valuable. Email addresses, passwords, physical addresses and phone numbers to name but a few data attributes all pose value to criminal elements. They enable access to accounts well beyond just those breached thanks to both password reuse and weak verification processes (read Brian Krebs’ piece last month on PayPal’s lazy authentication for a great example) plus of course provide malicious actors with essential elements required for identity theft. Whilst individual identities are valuable, full data breaches with potentially millions of identities can be a gold mine.

For example, back when I was dealing with the 000webhost breach, someone sent me this DM:

Tweet about 000webhost selling for $2k

Now even when I don’t agree with the moral position I still respect their right to privacy so I won’t be sharing any names here, but clearly they weren’t happy. In part I suspect he was perplexed as to why someone would give me something they could have sold (although I have never paid for a data breach), but in part he was also concerned as to what my having the data would do to the market value. And he was right.

The 000webhost breach was selling for $1.5k on one marketplace around the time of the breach:

000webhost for sale at $1.5k

Shortly after I made the incident public, the price fell 90%:

000webhost price revised to $150

The thing with these data breaches is that ultimately, they’re a tradeable commodity and their price is driven by market forces. A breach that very few people know about is valuable because whilst victims are unaware of their exposure, they’re unlikely to change their passwords or monitor fraudulent activity against their identities. However, once they’re aware of their exposure and take measures to protect themselves then their value as a tradeable commodity plummets. Not only did 000webhost get quite a bit of press once I wrote about it, there were 5,186 HIBP subscribers who got an email as soon as I loaded the data into the system.

Which brings me to Nexus Mods. Last year I received this:

Asking for BTC to share Nexus Mods

This is very clearly direct monetisation of data breach victims. Not only that, but the only reason people pay for this data is because it represents an ROI for them; they will then do something with the contents of the breach which presents them with a financial upside and that almost certainly means disadvantaging the victims. In a case like this, there’s only ever one response that’s suitable:

Me refusaing to pay for a data breach

But sooner or later, someone comes along perhaps driven by a desire to do good, who provides me with the data. That was the case with 000webhost and now it’s the case with Nexus Mods as well. Yesterday I loaded in almost 6M records and HIBP sent out 8,603 emails to individual subscribers, 559 emails to domain subscribers and a massive 124,325 notifications to subscribers using the callback implementation. The value of this breach is now not what it once was and the victims have a greater awareness of their exposure. The only ones who genuinely lose out when I load a breach like this is those who are illegally selling it in an attempt to further disadvantage the victims.

To that effect, I’d like to outline some ways you can help data breach victims and make a positive impact on web security:

  1. If you’ve found a vulnerability in a system, disclose it privately and ethically to the owners. If it’s serious and you can’t get a response from them then contact me and I’ll help get their attention. I’ve had several cases like this recently where everything has been done quietly and customers have been saved any public exposure.
  2. If you have data from a system that is being actively sold or traded, support the victims by donating it to HIBP. I’ll also attempt contact with the organisation involved and ensure they’re aware of the exposure. Again, contact me via one of the channels on that page.

If you have other data breaches similar to the Nexus Mods or the Gamigo one I loaded today, help support those who are being exploited by having their identities traded. If you’re sitting on the data or holding it privately, think about whose interests that’s actually serving; it’s probably not that of the innocent parties caught up in the incident.

Have I Been Pwned
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals