Security Sense: Think Carefully Before Claiming a Company was Hacked

We've seen a lot of companies genuinely hacked lately and a lot of false claims too. It's really important to get the facts straight.

Troy Hunt

June 3, 2016

4 Min Read
Security Sense: Think Carefully Before Claiming a Company was Hacked

There’s been some very serious security incidents come to light in recent weeks. Tumblr had about 65 million accounts hacked which they acknowledged back on May 12. Shortly after, it was LinkedIn with around 168 million accounts and they too came forward and admitted that indeed the news of the hack was true. Most recently it was MySpace, this time with 360 million accounts and once again, a major online presence stood up and accepted the reality that millions of their accounts were now floating around the web. Never more so than in the last few weeks, we’ve come to expect that data breaches are occurring on a massive scale.

But there’s a nagging concern that’s been brewing in the back of my mind whilst this has been going on; are these serious incidents possibly conditioning us to automatically assume the worst? Will it cause us to throw caution to the wind when dealing with the daily claims that some large web presence has become the victim of one of these attacks? I’ve witnessed near-lynch mob mentality in some recent incidents and it concerns me that there may be an irrational spate of people prematurely jumping to conclusions.

Just today, someone sent me “the Dropbox hack”. I’d heard rumours of this in recent weeks and indeed Dropbox would be right up there with the three sites mentioned above in terms of newsworthiness of a hack. Only a few hours ago, I began looking at the data but before I could get far, Brian Krebs made my life a whole lot easier and wrote about how Dropbox was smeared in a week of megabreaches. The breach was fake; it was merely a rehash of the tumblr incident. But it’s how this news came to light which I find particularly concerning.

Brian details it all in his usual thorough fashion in the blog post but in a nutshell, subscribers to identity monitoring services were suddenly being told their Dropbox was hacked. When he followed the trail back to the origin, Brian found that the original claim had come via an anonymous Twitter account which was sufficient “evidence” for a service that feeds data to identity theft providers to claim that the data was legit. No independent verification, no input from Dropbox, just straight to the conclusion that they’d been hacked.

Over the last day, there’s been a lot of speculation that TeamViewer has suffered a similar fate. In the one corner, many people have pointed me to a Reddit thread where there is a large vocal gathering of individuals who are rather unhappy. In the other corner, TeamViewer recently published a blog post claiming that they haven’t been hacked and that there are no security holes. They suggested that recent incidents may be related to password reuse, a premise I publicly agreed with particularly in light of those three large legitimate incidents I mentioned earlier. Responses to that tweet of mine were sometimes, well, “passionate” but the fact remains that this is frequently the cause of account takeovers.

Then finally, there’s the Badoo dating service and again, claims that they’ve been hacked. As with TeamViewer, Badoo vehemently denies the incident occurred. I don’t know whether they’ll fall into the tumblr / LinkedIn / MySpace bucket or the Dropbox bucket in terms of the legitimacy of the incident, but I’m concerned to see claims that don’t appear to have been fully substantiated. I’m especially concerned that those I’ve seen claiming Badoo has been hacked are doing so from the same veil of anonymity that protected the individual reporting on Dropbox. It’s easy to make claims of this nature when there’s no personal recourse, much harder when you actually need to take personal responsibility for your allegations.

Accusations of a site being hacked have serious consequences. Many people are uninstalling TeamViewer and deserting their service. They may have been hacked – I honestly don’t know and there are some alarming patterns I’d like to see answers to – but that’s the point I’m trying to make here in that we simply don’t have emphatic evidence one way or the other for them or Badoo just as nobody had it for Dropbox before they started claiming the file sharing service was hacked. In fact, just last month after sensationalist claims of 272 million Hotmail, Gmail Yahoo and other accounts being hacked were made then proven false, I wrote about how I verify data breaches and I reference Badoo in there as well as Zoosk (another dating service). I found major inconsistencies in the data that made it highly unlikely to be legitimate yet here we are today with both of those being on the receiving end of claims to the contrary.

Verifying data breaches takes effort and many times it will mean that no sensational headlines are due and no other personal upsides will be gained by those who benefit from these incidents. But it’s the right thing to do and we should be collectively pushing for claims to be substantiated and treating those who cannot do so with a healthy degree of scepticism.

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like