Following Your Stolen Data Through The Dark Web

People and companies get hacked all the time.

Corporate secrets, credit card numbers,

password to your email, your medical information,

even your Netflix login might get stolen.

But where's that data go?

Today, we're doing a deep dive into the hacked data economy.

We'll also speak with Troy Hunt,

founder of Have I Been Pwned,

a tool that lets you know if your data's been breached.

This is Incognito Mode.

[pensive music]

There are a few types of hackers.

There's state-sponsored hacking groups

or advanced persistent threats.

There's hacktivists.

And then there's criminal hackers.

State-sponsored hackers are typically going to be hacking

for espionage, blackmail,

purposes that serve the state that they're sponsored by.

There's also hacktivists, which go after companies

or other organizations that they have some problem with.

Think a weapons manufacturer or a police department.

And then there's criminal hackers.

These types of hackers are pretty indiscriminate.

They'll go after any system where they can steal data

and then make money from that data in one way or another.

What happens to your data

after it gets stolen really depends on who did the hacking.

If it's a state-sponsored hacker,

we might not know what happens to that data.

Because state-sponsored hackers

are acting on behalf of their own government,

the data often goes into a black box,

and as an outsider,

it's really hard to know what happens to that data.

One of the largest data breaches in history,

it happened at Equifax,

the company that tracks all your credit cards

and mortgages to determine your credit score.

In the case of Equifax,

tens of millions of people's data was stolen,

but we've never seen that data surface online.

Sometimes the data is leaked.

Think Russia's hack of the Democratic National Committee,

which had all its emails published online.

The US government investigation

into the Russian hack of the DNC

found that one of the main reasons for the breach

was to release the data

and cause chaos in the US political system.

We don't know if they did anything else

with the data as well.

In the case of a breach by hacktivists,

the hackers will often steal the data

and then share that with journalists

or maybe just post it themselves online.

Notorious hacking group Anonymous

has declared war on Russia.

Russian government,

Russian military records being dumped out

under the internet.

The goal is really to embarrass, shame,

and cause problems for whatever entity that they packed.

Hacks by cyber criminals are probably what you think of

when you think of getting hacked.

When criminal hackers break into a system,

they'll often steal as much data as they can.

Think credit card numbers, your email and passwords,

your medical information.

From there, it gets sold and traded

to other criminal hackers.

And by the time you know

that your credit card has been stolen,

it may have been posted online multiple times.

While any hacker might post information online,

it's a criminal hack

where you most likely see your information exposed.

So if you go to a website like Have I Been Pwned

and see that your information was breached,

it was probably a criminal hack.

Some state-sponsored hackers blur the lines

and get into criminal hacking.

North Korea, for example,

is involved in billions of dollars worth of theft

of cryptocurrencies either through ransomware attacks

or hacking crypto exchanges directly.

It's widely believed North Korean hackers

used the stolen money to fund the government,

including its nuclear weapons program.

[pensive music]

There are two main ways that criminal hackers make money:

one is selling your data and the other is ransomware.

First, we'll talk about ransomware.

Ransomware is a type of malware that allows a hacker

to go into a system, steal the data,

and then encrypt the system so it's unusable.

You often see hospitals, government organizations,

and other entities that need to function

get targeted by ransomware.

They'll say, If you don't pay me, say 200 Bitcoin,

we're gonna leak your data online.

When we're talking about medical information

or financial information,

this is really sensitive

and could be extremely damaging,

not just to you, but to the organization itself.

A victim organization typically has two choices.

They can either pay or not.

If they choose not to pay

and the hackers do leak the data,

the victim organization is just gonna have to deal

with the fallout from that

and likely have to have some type of way

to mitigate the attack and get back online

and continue their operation.

The other option, which experts highly advise against

because it encourages other ransomware attacks,

is to pay the ransom.

This happened to Change Healthcare

when in 2024 there were victims of a ransomware attack

and ultimately paid 350 Bitcoin, around $22 million,

to the hacker group.

Unfortunately, for Change Healthcare,

a second hacker group got his hands on the data

and appeared to post it online.

So even though Change Healthcare paid a fortune

to keep their data from getting leaked online,

it still happened, and they didn't get much out of it.

[pensive music]

Another way hackers make money

is by just selling your data online.

So what does that mean exactly

and what does that look like?

So if your data is sold, it's often packaged together,

auctioned off, and paid for.

This is a massive underground economy

and what we call the hack data pipeline.

Newly stolen data often first appears in private groups

like hacker networks, forums, and group chats

before it ever hits the open market.

You can think of this as the wholesale distribution step

where hackers share the data with trusted sources

and try to unload it all at once for a huge sum.

From there, the data makes its way to dark web marketplaces.

The dark web is in searchable with normal tools like Google.

You have to use a special browser called a Tor Browser

to access dark website.

[Narrator] Tor Browser is just like any other browser,

except it protects you against surveillance and censorship

when surfing the internet.

It was developed

to make it difficult for people to know who you are

and what sites you're visiting.

Dark web market places provide anonymity

for both sellers and buyers,

making it ideal for cyber criminals.

Hacked data is also used to build tools

to help protect people who've been affected by breaches.

One of these tools is Have I Been Pwned.

Troy Hunt, thanks for joining us.

For somebody who's never like been

on one of these kinds of forums,

what does that look like?

Well, they look just like a forum to comment on cats.

There's threads and comments and reputations

and everyone's trying to be anonymous.

It's a very recognizable environment.

You've just got people there talking about crimes

and exchanging personal data for their own benefit.

What would you say is kind of the most sensitive data

that ends up getting shared in these databases?

So we categorize somewhere in the order

about 150 data classes,

so different types of personal information,

and by far, the number one most prevalent is email address.

Passwords are still enormously prevalent as well.

Usually not in plain text these days.

They're hashed and protected to one degree or another.

And after that, the most common attributes

are things like name, phone number, physical address.

But then if we go all the way through

to the most sensitive end,

we get anything from, say, government-issued IDs.

So it's things like a passport, a driver's license,

through to the things that are deeply personal,

like health data,

and all the way through to sensitive topics

about the desires that you have in the bedroom.

And then something like Ashley Madison

is a good example of that.

There are dozens of market places for stolen data.

Some of them include STYX Market, Brian's Club,

Russian Market, and BidenCash.

Some of these marketplaces

have tens of thousands of listings.

Often your data will be sold there

alongside things like drugs, counterfeit items,

or other cybercrime tools.

Market prices for your data vary,

but some are surprisingly cheap.

For example, the details for a credit card

with a $5,000 balance can go for as little as $110.

A Netflix login could cost somebody as little as 10 bucks.

Things like credit card info are usually sold in bulk.

But for higher value data like corporate secrets,

they're often auctioned off to the highest bidder.

Marketplaces are often controlled by groups

or individuals based in Eastern Europe

or in other areas that don't have extradition treaties

with the United States like Russia or China.

As you can imagine,

most sales in dark web markets

are made using cryptocurrency,

which make it much more difficult to trace

than something like a credit card or PayPal.

Stolen data is often sold to other cyber criminals

who use it for identity theft,

taking over social media accounts,

medical fraud, and more.

Stolen emails, usernames, and passwords are often used

for something called credential stuffing.

This is when a cyber criminal tries a username and password

on a bunch of different sites or services

and tries to hack in.

This works because people very often reuse the same password

over and over again,

allowing a criminal to get into an account

even if they don't really know what the password is.

So if the cyber criminal buys the login

for your email address,

they might then use that information

to get into your social media accounts,

message all your friends and ask for money.

They could also do something more straightforward,

like get into your bank account

and then just wire themselves all your money.

Your stolen information can be used

to open fraudulent bank accounts,

apply for loans, or commit tax fraud.

Your medical information might be used for insurance scams

or to get prescription drugs.

Once your information is posted online,

it can be sold and resold and used by multiple hackers

before you even know it's stolen.

That means the hacker that stole your data

isn't necessarily the same person

who's putting fraudulent charges on your credit card.

Even if the information is stolen is really basic,

like just your name and your email address

and phone number,

that can still be used for phishing attacks

in which cyber criminals send malicious links

and get people to download malware.

It can also be used to target you for scams.

So if your phone number is leaked,

scammers might have you on a list

and text you trying to get you to send the money.

[pensive music]

Troy, if you've been in this world doing this work

for more than a decade,

how would you say things have changed since the early days

in terms of either the types of data,

the frequency of breaches?

The things that I have clearly seen change

is, for example, the way passwords are protected.

If we go back to data breaches from 2012,

LinkedIn, Dropbox, for example,

the way the passwords were protected then

and the hashing algorithms they used

are not things that we see very often today,

certainly not with any sort

of large significant organizations.

Over the course of time,

we've definitely seen different attack vectors,

so different ways in which data has been obtained,

very frequently

because different platforms have either gained popularity

or there's been common vulnerabilities or misconfigurations.

There was a while there

where there was lots of MongoDB that was exposed,

and then there was a lot of Amazon S3 buckets exposed,

and then a lot of Elasticsearch instances exposed.

So we're seeing that sort of vector change,

but we're not really seeing the fact that there's millions,

hundreds of millions of email addresses

and personal information appearing

in data breaches every day.

Do you feel like the public understanding of cybersecurity

and cybersecurity practices has changed?

Consumers, if anything, I feel

are developing a little bit of apathy

where they're just say, Ah, this is another data breach,

until something actually stings them in some way

and they actually lose some money

or there's a tangible impact to their privacy.

We feel that there's probably not a lot of impact

on consumers

or not a lot of things that are changing,

and we're hearing this term a little bit

of data breach fatigue.

For organizations, it's a tricky one.

I feel organizations are increasingly standoffish

when it comes to data breach.

I'm finding very, very often

they're not disclosing to individuals,

and usually they have a legal right

not to disclose to individuals as well.

They're particularly skittish

about the things like class actions.

It just seems like every data breach

of any significance that happens

regardless of what the actual impact is on individuals,

literally the next day,

there's a law firm doing a class action.

And I think organizations are adapting their behavior

to disclose much less information

just due to fear of being then used in legal proceedings.

So what can you do?

Well, first, if you're notified of a breach

and your data was stolen,

make sure to change your password

and not use that password anywhere else.

In fact, the best thing to do is use a password manager.

This allows you to create unique,

difficult to crack passwords across every app

and website you use.

That way, if a hacker gets access to one password,

they can't use it on another account.

Even if you learn about a breach that happened months

or even years ago,

that data is still out there

and the hacker or some other person

might use that data in the future.

Make sure to freeze your credit

if you're part of a breach

where a lot of personal information

that can be used in financial fraud is stolen.

If someone takes out a credit card in your name

and never pays the balance,

which of course, they're not going to do,

it's not gonna tank your credit score

and prevent you from getting loans

or credit cards in the future.

You'll also want to get credit monitoring services

so that you'll be alerted

if somebody tries to open an account in your name.

Another key step in practicing good security

is to use multi-factor authentication

everywhere it's available.

It's important to use a tool that's trusted

like Google Authenticator or a YubiKey.

Otherwise, your data might not be as safe

as you think it is.

Try to avoid SMS-based two-factor authentication.

And finally, always aim to use apps and websites

from companies that have a good security track record.

This will reduce the chance

that your data will get stolen in the first place.

The fact of the matter is

if your data hasn't already been stolen,

it's probably gonna happen at some point.

But even if it is,

it's still important to take steps to protect yourself

because there can always be another breach

that exposes more data

and creates more risk for yourself.

This has been an Incognito Mode.

Stay safe out there.

[pensive music]