My stolen data has been found on the Dark Web... How did they manage to find it on the Dark Web?

[Actual_Criminal]

I have signed up to some service via a Credit score monitoring provider here in the UK (ClearScore). 

 

They offer a service where they apparently scan the Dark Web and it highlights all leaked passwords, addresses, emails and accounts that have been posted. At first, I got it as a prevention thing as it was only £5 a month, but after 1 search, it came back with like 8+ different groups of leaked information.

 

I was sceptical, but it literally shows you the EXACT password that has been leaked (so in other words, information that ClearScore couldn't have known). I was mind blown. Of course, my passwords being leaked are from websites/apps that appear to have had some sort of data breach in the past and a couple of unknown sources. This is not the part I am concerned or amazed at though.

 

What is shocking me is that this leaked information can be scanned and instantly found on the Dark Web. 

 

1.) This means that my information is PUBLICLY available somewhere on a random Dark Web site. - Why?

What purpose would someone have to PUBLICLY release information to others unless they are a HVT? I understand blackhat and alike buy and sell information, like "CC FOR SALE" etc, but they have no motive to distribute the info for free unless it's to sabotage a company (which I highly doubt). I don't understand how ClearScore would have been able to obtain this information unless it was public.

 

2.) Even if it was public, it is probably contained on a spreadsheet or similar document with probably thousands of other leaked users. If ClearScore can identify leaked information this easily, surely they would report back to where the leak came from and the source would invest some resources into getting the data removed. Data Protection and GDPR is really big these days and the fines can be in the millions. I'm no web dev, but surely you could pay a top-tier security team £100K or something to find the storage location of the information and get it removed. 

 

Would love to hear comments from a data security expert or similar. 

[Skiiwee29]

Data breaches and data dumps from said breaches are out there all over the web. It doesn't take much to look it up and find it. Hackers sell this data left and right for billions of dollars a year. its how identify theft is so rampant. You can check yourself here:

 

https://haveibeenpwned.com/

[WereCatf]

5 minutes ago, Actual_Criminal said:

What purpose would someone have to PUBLICLY release information to others unless they are a HVT?

ClearScore most likely buys these datadumps from the Dark Web - vendors.

6 minutes ago, Actual_Criminal said:

would invest some resources into getting the data removed

Might as well ask for the Moon from the sky. I mean, have you seen how difficult it is to scrub something out of the Internet once it's out there, even when talking about law-abiding companies and services? The Dark Web - sources are not law-abiding, so it'd be even worse.

[LAwLz]

1 hour ago, Actual_Criminal said:

What is shocking me is that this leaked information can be scanned and instantly found on the Dark Web. 

Just a small correction. They aren't actually scanning the dark web. The entire point of the dark web is that it isn't being scanned and indexed.

 

1 hour ago, Actual_Criminal said:

1.) This means that my information is PUBLICLY available somewhere on a random Dark Web site. - Why?

I mean, isn't that obvious when you think about it?

Take the recent CD Project Red break as an example.

Some hackers gain access to CDPR servers.

They start downloading a bunch of data. In the case of CDPR, it was game data. In the case of something like Facebook, it will be user data. Whichever data is seen as valuable will get downloaded from the compromised servers.

Now when the hackers have the data, they got a few options.

1) They can release the data to the public just to wreck havoc. This is what they did with Facebook recently. At least partially. It's not uncommon for some data to be posted to the public right away to prove that the leak is real and should be taken seriously.

2) They can threaten the company to give them money to stay quit. I believe this is what happened with CDPR. The hacker said "look, we got the source code for your games. Give us X amount of dollars and we'll just delete it. If you don't give us the money within Y number of days, we will post it online".

 

If CDPR never pays the ransom then the hackers need to post the info online for free for everyone to see. If they didn't then their threat would have been toothless and no company would ever pay ransoms.

 

Or in some other cases, the hackers post an auction online for the data. "anyone who wants The Witcher 3 source code, make a bid on ur action!". Then some rich person wins the action, gets the source code and posts it online for other people to see for some other reason, like to damage CDPR, or wanting more open source games, or mods for The Witcher 3, or whatever.

 

In any case, if they didn't post the info online for free then companies would have no incentive to pay data leaks seriously.

 

 

1 hour ago, Actual_Criminal said:

2.) Even if it was public, it is probably contained on a spreadsheet or similar document with probably thousands of other leaked users. If ClearScore can identify leaked information this easily, surely they would report back to where the leak came from and the source would invest some resources into getting the data removed. Data Protection and GDPR is really big these days and the fines can be in the millions. I'm no web dev, but surely you could pay a top-tier security team £100K or something to find the storage location of the information and get it removed. 

Dude, if it was that easy to scrub the Internet of something don't you think it would be used all the time? It's very naive to think that you can scrub the entire Internet of something just like that. It's like saying "why doesn't someone just pay someone like 100K pounds to come up with a way nobody could ever get murdered or robbed again. Surely it can't be that hard".

[Amias]

2 hours ago, Actual_Criminal said:

I have signed up to some service via a Credit score monitoring provider here in the UK (ClearScore). 

 

They offer a service where they apparently scan the Dark Web and it highlights all leaked passwords, addresses, emails and accounts that have been posted. At first, I got it as a prevention thing as it was only £5 a month, but after 1 search, it came back with like 8+ different groups of leaked information.

 

That's £5 too much for a free service. See haveibeenpwned, linked above.

2 hours ago, Actual_Criminal said:

What is shocking me is that this leaked information can be scanned and instantly found on the Dark Web. 

 

You do understand how the internet works right?

2 hours ago, Actual_Criminal said:

 

1.) This means that my information is PUBLICLY available somewhere on a random Dark Web site. - Why?

What purpose would someone have to PUBLICLY release information to others unless they are a HVT? I understand blackhat and alike buy and sell information, like "CC FOR SALE" etc, but they have no motive to distribute the info for free unless it's to sabotage a company (which I highly doubt). I don't understand how ClearScore would have been able to obtain this information unless it was public.

It is public. People online do it for shits and giggs.

2 hours ago, Actual_Criminal said:

 

2.) Even if it was public, it is probably contained on a spreadsheet or similar document with probably thousands of other leaked users. If ClearScore can identify leaked information this easily, surely they would report back to where the leak came from and the source would invest some resources into getting the data removed. Data Protection and GDPR is really big these days and the fines can be in the millions. I'm no web dev, but surely you could pay a top-tier security team £100K or something to find the storage location of the information and get it removed. 

 

Would love to hear comments from a data security expert or similar. 

How do you fine/shutdown a ghost company in a non cooperative third world country?

 

[Arika]

16 hours ago, Actual_Criminal said:

Data Protection and GDPR is really big these days and the fines can be in the millions. I'm no web dev, but surely you could pay a top-tier security team £100K or something to find the storage location of the information and get it removed. 

You think the people who obtain data illegally care about GDPR? 

 

Law abiding computes don't even want to give up any data, why would people who profit off selling it be willing to cooperate. Also you act like there is 1 copy of data on 1 hard drive. Once it's on the internet there might as well be infinite copies.

 

This supposed magic security team would need to track every download of the data, or every time it's been copies to a clipboard and pasted somewhere else, get access to any number of computers that store this data and delete it. 

 

Not going to happen

[WkdPaul]

6 hours ago, LAwLz said:

They aren't actually scanning the dark web. The entire point of the dark web is that it isn't being scanned and indexed.

Technically, you can index the dark web, unindexed web is technically the deep web.

 

Depending on the dark web protocol, some are indexed (TOR onion sites are partly indexed by Google BTW, doing clear web search can give you onion sites in the results), though other protocols that are less known or popular aren't indexed.

 

Not sure why Google is doing that since TOR websites aren't easy to index, but it seems like they do. Plus without a way to access the TOR network, you can't see the onion sites listed in the results.

[Actual_Criminal]

8 hours ago, LAwLz said:

Just a small correction. They aren't actually scanning the dark web. The entire point of the dark web is that it isn't being scanned and indexed.

That is my point though. If they aren't 'scanning' the dark web, how the hell did they manage to find it on the dark web? I fail to believe data companies are 'buying' stolen data sets just to cross reference against normal data. Huge security issues right there. 

 

8 hours ago, LAwLz said:

I mean, isn't that obvious when you think about it?

Take the recent CD Project Red break as an example.

Your talking about big boy companies. Ones that are 'popular' and people have some sort of stigma attached to a company. The companies I am referring to a random ass unknown companies that you have used nonchalantly via a third-party app or service. 

 

8 hours ago, LAwLz said:

Dude, if it was that easy to scrub the Internet of something don't you think it would be used all the time? It's very naive to think that you can scrub the entire Internet of something just like that. It's like saying "why doesn't someone just pay someone like 100K pounds to come up with a way nobody could ever get murdered or robbed again. Surely it can't be that hard".

I'm not saying scrub the entire internet... What i'm saying is that if there is a specific large source of data 'publicly' available on site X, it would be in the best interest of said leaked company info to try and remove the data for damage control. Everyday it is on there, more people copy it. Sure, once it's up it is up, however I went to a random clearnet page and posted the details of 10,000 Well Fargo banking customers, I imagine the compliance and legal team at WF would move heaven and Earth to try and get it removed. (Even if it was probable that I had a second copy, or that it had it had already been copied elsewhere.) My point is that companies should take the same approach if this also occurring on the dark web and can easily be found (as shown via the ClearScore 'search' process). 

 

I totally disagree with your comments relating to Murder and Robbery and think it is a bad comparison. 

[Actual_Criminal]

7 hours ago, Amias said:

 

That's £5 too much for a free service. See haveibeenpwned, linked above.

 

The service literally tells you the password that has been leaked whereas the above site does not. Also, there is about 8 more results of leaked information compared to the info I placed in that link^.

 

The paid service also detects other leaked information, including addresses.

 

 

[WkdPaul]

11 minutes ago, Actual_Criminal said:

*snip*

 

Take some time to read what others have said.

 

Also ; 

11 minutes ago, Actual_Criminal said:

I'm not saying scrub the entire internet... What i'm saying is that if there is a specific large source of data 'publicly' available on site X, it would be in the best interest of said leaked company info to try and remove the data for damage control. Everyday it is on there, more people copy it. Sure, once it's up it is up, however I went to a random clearnet page and posted the details of 10,000 Well Fargo banking customers, I imagine the compliance and legal team at WF would move heaven and Earth to try and get it removed. (Even if it was probable that I had a second copy, or that it had it had already been copied elsewhere.) My point is that companies should take the same approach if this also occurring but on the dark web. 

That's not how the dark web works, it's completely decentralized, that's the whole point of it ; making sure it's almost impossible for data / websites to be traced and/or removed and that the people on that part of the web aren't traceable either.

 

When something is leaked, it's out there for good, no amount of money and lawyers can remove it. People and companies have tried and failed to scrub thing on the clearweb, so forget about having a "clean" dark web.

[Actual_Criminal]

Just now, wkdpaul said:

When something is leaked, it's out there for good, no amount of money and lawyers can remove it. People and companies have tried and failed to scrub thing on the clearweb, so forget about having a "clean" dark web.

Honestly I disagree with this. I have got stuff removed from the internet myself. I'm not talking about Google either. A simple cease and desist order can cause someone to remove your requested information. There are even companies out there now that specialize in this (https://brandyourself.com/)

 

However, I do agree that taking down the information on the dark web will be much harder. But that's why I said paying a top-tier crack team tons of money and they would probably be adept enough to somehow trace and remove the information and could even partner with the NCA or similar organisations. 

[Actual_Criminal]

5 minutes ago, Grand Admiral Thrawn said:

Just because something got removed does not mean it can not be uploaded again.

It is now 8 years since lawyer of Beyonce won a case to delete her photo from the Internet and it is still publicly available.

Haha, well as I've mentioned above, HVT, 'famous' people or well known companies are more subject to the spread of information than your everyday average Joe. 

 

That's one of the drawbacks of being famous/popular.

[tikker]

30 minutes ago, Actual_Criminal said:

The service literally tells you the password that has been leaked whereas the above site does not. Also, there is about 8 more results of leaked information compared to the info I placed in that link^.

 

The paid service also detects other leaked information, including addresses.

 

 

Telling you the password has no additional value in my opinion. If haveibeenpwned or something else tells your account was involved in a breach and passwords have been looted or compromised, you should change your password there and on any other account you use it no matter if they can tell you what it is or not. Maybe the more results aspect is worth it. haveibeenpwned just reports on data breaches I believe and doesn't scan the dark web.

21 minutes ago, Actual_Criminal said:

Honestly I disagree with this. I have got stuff removed from the internet myself. I'm not talking about Google either. A simple cease and desist order can cause someone to remove your requested information. There are even companies out there now that specialize in this (https://brandyourself.com/)

 

However, I do agree that taking down the information on the dark web will be much harder. But that's why I said paying a top-tier crack team tons of money and they would probably be adept enough to somehow trace and remove the information and could even partner with the NCA or similar organisations. 

A cease-and-desist order sounds nice in theory, but may not mean much in practise. Just take piracy as an example. C&Ds get sent out, sites get shut down all the time and it often won't be more than a day before 10 other mirrors pop up for every one that got taken down. That's normal web still and they can't even contain that, let alone the much more lucrative business of people's information. Not saying that it's impossible, but I'm quite convinced that the deeper and more illegal you go the harder and harder it gets to truly get rid of stuff.

41 minutes ago, Actual_Criminal said:

Your talking about big boy companies. Ones that are 'popular' and people have some sort of stigma attached to a company. The companies I am referring to a random ass unknown companies that you have used nonchalantly via a third-party app or service.

Why would a company need a stigma attached to it to get hacked? The CDPR hack was probably just out of spite, but data is data. If you're after personal information these random ass companies could arguably be even better prey as they might have bad security, or at least simpler security compared to say Google, and people have a bad habit of reusing passwords etc. Breach one door to open many.

[WkdPaul]

42 minutes ago, tikker said:

A cease-and-desist order sounds nice in theory, but may not mean much in practise. Just take piracy as an example. C&Ds get sent out, sites get shut down all the time and it often won't be more than a day before 10 other mirrors pop up for every one that got taken down. That's normal web still and they can't even contain that, let alone the much more lucrative business of people's information. Not saying that it's impossible, but I'm quite convinced that the deeper and more illegal you go the harder and harder it gets to truly get rid of stuff.

Lets not forget that we're talking about the internet, that's a world wide network, even on the clear web you'll have illegal stuff that a C&D won't be able to touch because of difference of laws in different countries and jurisdictions.

 

The OP is obviously not familiar with how the internet (not the WWW) works and seems to have an overly confident view that mirrors Hollywood TV shows like CSI (no offence to the OP).

[Actual_Criminal]

16 minutes ago, wkdpaul said:

Lets not forget that we're talking about the internet, that's a world wide network, even on the clear web you'll have illegal stuff that a C&D won't be able to touch because of difference of laws in different countries and jurisdictions.

 

The OP is obviously not familiar with how the internet (not the WWW) works and seems to have an overly confident view that mirrors Hollywood TV shows like CSI (no offence to the OP).

Haha none taken.

 

All i'm saying is, if you throw enough money at something, anything can be done pretty much these days. (Regardless of the rules, laws and how it is achieved as long as there is an end result.)

 

So i'm just surprised firms don't do the above because of how big data fines are and that's whilst also ignoring the resulting damage from the fallout of Identify Theft and fraud. 

[WkdPaul]

3 minutes ago, Actual_Criminal said:

*snip*

Thing is, when there's a leak, the company will be fined even if the data doesn't go public. So they would have to pay the fine AND a legal firm to get this sorted out.

 

It's easier and cheaper to just pay the fine and then pay to beef up the security so that it won't happen again. Corporations are often engaged in reactionary actions, and are often penny pinchers, can't remember what subreddit it is, but there's one where people talk about their company's habit of wasting money where they save a dollar today, only to pay $5 later down the line.

 

I know it sucks, but data breaches like this will be more and more common, even if there are strict laws in place. InfoSec isn't an easy field, and one can claim a system impenetrable, but there's always a weak link somewhere (and on very very secure systems, that weak link is often an inside-man with large access ; https://www.cbc.ca/news/business/desjardins-breach-privacy-report-1.5840171 )

[Actual_Criminal]

1 hour ago, wkdpaul said:

Thing is, when there's a leak, the company will be fined even if the data doesn't go public. So they would have to pay the fine AND a legal firm to get this sorted out.

 

It's easier and cheaper to just pay the fine and then pay to beef up the security so that it won't happen again. Corporations are often engaged in reactionary actions, and are often penny pinchers, can't remember what subreddit it is, but there's one where people talk about their company's habit of wasting money where they save a dollar today, only to pay $5 later down the line.

 

I know it sucks, but data breaches like this will be more and more common, even if there are strict laws in place. InfoSec isn't an easy field, and one can claim a system impenetrable, but there's always a weak link somewhere (and on very very secure systems, that weak link is often an inside-man with large access ; https://www.cbc.ca/news/business/desjardins-breach-privacy-report-1.5840171 )

If you find what subreddit it is, feel free to comment it or DM me it as I would be interested in giving it a read. I work for a worldwide firm and can relate to what you said as well. Short term costs > Long term costs when it comes to priorities. 

 

Ah well things may change. I have started seeing paid advertisements over the last year for new companies offering 'compensation' for a data breach. Apparently the average claim is £1,000-£40,000. If you go to Google and type Data Breach compensation you will get tons of results. Seems to be a new growing market like cash-for-crash type companies. Data breaches are getting more costly now. 

[harryk]

FYI by the time the leaked data is found by groups like haveibeenpwned.com the leaked data has likely already been sold to multiple customers. By the time you find out, the data is already in the hands of nefarious folk. Trying to do anything about the breach after that fact is a Sisyphean task. 

[Kilrah]

2 hours ago, Actual_Criminal said:

All i'm saying is, if you throw enough money at something, anything can be done pretty much these days.

Thing is, anything a company can do to minimize the impact of a leak after the fact is only just going to be costing them more money while having very little impact since once the stuff is out there it's out there. So they have basically nothing to gain... as a result those who do have something to gain from it will have a lot more money to throw at trying to breach.