The notoriety that comes with taking credit for a data breach is alluring. Declaring a successful data breach can suddenly bring a lot of attention, which is why posting bogus data is attractive.
For companies and organizations, it’s a real headache, since an allegation of a breach can immediately pose public relations challenges.
“The speed of the news cycle is a lot faster than the speed of the incident response process,” said Allison Nixon, a threat researcher with consultancy Deloitte.
Nixon wrote a paper describing some non-intrusive techniques for figuring out if a data breach is legitimate. The paper, she said in a phone interview on Wednesday, is intended to allow third parties to get a sense whether a leak is real.
Bogus data releases, or ones that recycle data from old breaches, are common. Since data breaches draw attention, it’s easy for fame-seekers to insert a political message along with the data on sites such as Pastebin, a site for anonymously posting content.
“I would say that the motivations are really based on power, ego and fame,” Nixon said. “The people that are releasing these leaks—most of them are doing so under a handle, and they’re trying to build a reputation.
“If you’re unable to produce a real data breach, then I guess this is the next best thing,” she said.
One of the verification techniques is figuring out if a particular email address really was used to register an account with a Web service. Some sites won’t allow two accounts to be registered with the same email address.
“If the company does enforce email uniqueness, the veracity of the leak can be tested by changing an account’s email to randomly selected emails in the leak,” according to the paper. “Almost all emails should be traceable to the company’s site; untraceable emails indicate that the leak is very likely fake.”
Other Web services will also “leak” a bit of information, such as whether a username exists or not, which can also indicate if the published data is a true leak.
Nixon cautioned that it is not recommended to try the purportedly leaked username and password combinations to log in to a Web service. That could have legal ramifications.
“The techniques compiled in this paper were done so with the idea of causing minimal impact and causing minimal legal problems,” Nixon said.
In other cases, just looking at username and password combinations and the service that the details purportedly came from can send up a red flag.
For example, websites that have restrictions on what types of passwords are acceptable can help to debunk a breach. If the results from a supposed breach contain simple passwords such as “123456” on a website that requires stronger passwords, “the leak should be treated with suspicion,” the paper said.
Nixon said she came up with an idea for another test that might indicate a breach is real.
One leak she analyzed consisted of credit card data. She thought the data was fake because it was potentially valuable in the underground. It didn’t make sense for someone to freely publish the data if it had value.
To test it, Nixon compared first names of people in the breach with a list of the most common names based on their birth year. The distribution of names indicated the breach might be legitimate.
“It would be interesting to see further research in that area,” Nixon said.
However, further investigation showed the credit card data was old, as the expiration dates of the cards had mostly passed, Nixon said. The data had merely been recycled and didn’t really come from its purported source.
“There was no new breach,” she said.