So two Harvard students wondered just how much information was out there that had simply, been dumped online and made publicly available by hackers. Then, they also wondered how much of this data could be combined to identify and track people across various websites. What they found, was worse than most of us imagine.
“We also showed that a cyber criminal doesn’t have to have a specific victim in mind. They can now search for victims who meet a certain set of criteria,” Metropolitansky said.
For example, in less than 10 seconds she produced a dataset with more than 1,000 people who have high net worth, are married, have children, and also have a username or password on a cheating website. Another query pulled up a list of senior-level politicians, revealing the credit scores, phone numbers, and addresses of three U.S. senators, three U.S. representatives, the mayor of Washington, D.C., and a Cabinet member.
“Hopefully, this serves as a wake-up call that leaks are much more dangerous than we think they are,” Metropolitansky said. “We’re two college students. If someone really wanted to do some damage, I’m sure they could use these same techniques to do something horrible.”
Two things come to mind for me reading this.
One, how much information is out there that we aren’t even aware of, about us? They simply used email addresses found in the Experian credit reporting leak to locate accounts across all kinds of websites, and tie them back to individuals. That was a hack from 2015. It’s still sitting out there, helping them tie a real-life identity to all sorts of online information.
Secondly, though, I also wonder how much of the information they found was accurate? I don’t say this lightly, because I know first hand that there are “who knows how many” accounts that have been setup using my email address, that aren’t me, and the websites in question never bothered to verify it.
I’ve gotten emails from dozens of places that were not me, but someone, probably with the same name, just using the simple version of the name with a gmail address so they could create an account, or someone else not being careful with entering an email address that actually shouldn’t be the simple version of the name.
Guess what, when they do that, I get emails. And not spammy, mass, emails that people randomly get from companies who bought email addresses, but very specific emails sent to someone named Mike McBride, who isn’t me. I mean, if you went out and searched for my email address in hacked data you might find out about rental property that I don’t have, kids in school systems where I don’t live, or kids with medical treatments happening across the country, or being recruited to play college sports. (I don’t even have kids..) You may find some airline confirmations for flights I never took, and I can guarantee you you’ll find dating profiles of all sorts, gaming profiles, forum posts, and memberships in Scottish shooting clubs. Again, all not really me. But, when hackers start putting together all of the hacked data that is out there, I doubt they’re going to be concerned about its accuracy. And, I doubt anyone else is going to question it either. In the era of social media shaming, and mob justice, no one is going to stop and consider the possibility that entering any email address and having that be accepted as official without any verification, is way too easy.
I mean think about it. You can sign up for any number of websites, email lists, dating apps, social networks, etc. with any old address you want to make up off the top of your head, and why not? That’s less crap email you have to deal with.
But, as all that data keeps getting hacked, it’s creating these weird profiles of probably pretty embarrassing things which each of us may, or may not, have actually done.
Hacking, therefore, is not only information warfare, it’s also, potentially, disinformation warfare. Steal some information, leak it online, but maybe create some fake profiles before you do, enough to embarrass the heck out of people you don’t like. It’s totally possible, and in my opinion, much more dangerous.
How do you prove you’re innocent when the data says you’re not?