Cybersecurity Insights & Analysis

What happens to stolen data? 💰

We regularly hear news stories concerning the latest data breaches. But this prompts the question: what exactly happens to stolen data after it’s been extracted from an organisation’s network?

In June of 2021, a hacker – or hackers – going by the name of Tom Liner posted on a darknet forum claiming to have possession of over 700 million records on LinkedIn users. Whilst this wasn’t necessarily the result of a dataleak (it was the result of data scraping), the results are no less worrying. 

Upon inspection, the ‘dump’ had the names, email addresses, phone numbers, physical addresses, employment details, and even the geolocation records of hundreds of millions of LinkedIn users were available on popular hacker forums.

To put this in perspective, 700 million user records equates to 92% of LinkedIn’s userbase. If you have a LinkedIn account, the overwhelming likelihood is that your information is somewhere in this database.

So, what happens to stolen data? And should I be concerned?

In this insights article, we’ll be explaining why hackers want your data, what they do once they get their hands on it, and some quick tips on how you can protect yourself from being targeted by cybercriminals.

What's the point in stealing data?

If you have followed the news over the past 3 years, you will have noticed that more and more of the stories we hear about involve cybersecurity, and, more specifically, data breaches.

This is unsurprising, given that data has become one of the most lucrative commodities on earth.

From a criminal’s point of view, stealing data is an attractive and often lucrative business. When compared to the traditional heist – featuring balaclavas and AK47s – a digital heist offers cybercriminals a much better return against the risk that they take.

And, if you use the internet, it’s highly likely that you’ve already been the victim of a data breach or will become a victim at some point in the future.

No two data breaches are equal, with some having much more serious consequences than others. It often comes down to the type of information that has been leaked which will determine the severity of a data breach.

Some of the data types include:

– Metadata, which is information about data, such as when a message was sent or where a photograph was taken.
– Government records.
– Financial accounts and statements.
– Personal bank details.
– Passwords and password hashes.

However, depending on your situation and your adversaries, what might constitute as a minor data breach for someone else could constitute something much more serious for you. Furthermore, even if you’re not too concerned about having your data leaked today, it could become much more significant several years down the line.

With that being said, let’s look at the five things’ hackers do with stolen data.

1) Stolen data can be used for identity theft

Perhaps the most obvious use for stolen data is identify theft. If someone gets hold of your sensitive information, such as your address, date of birth, or national insurance or social security number, they can use it to steal your identity.

This could allow them to sign agreements, make purchases, open bank accounts, and even apply for passports using your identity. Identity theft is usually a component of a broader criminal conspiracy. 

Criminals require stolen identities to commit fraud, launder money, and immigrate into other countries illegally. Therefore, if you’re a victim of identity theft, then crimes could be committed using your name.

After a hack is completed, cybercriminals will often dump or sell stolen data on the darknet for it to be used by other criminals.

You may have heard about the darknet, but perhaps you’re not too familiar with it. The darknet is a hidden section of the internet that is only accessible using specialist software and is used by criminals as well as intelligence agencies, journalists, and whistle-blowers.

Everything you see on the internet is merely the tip of the iceberg. In fact, it’s believed that less than 4% of the internet is indexed by Google, and the other 96% of content on the internet is hidden.

Among this hidden content rests the infamous darknet.

Just like the clear net, the darknet has its own websites too. There are websites that sell drugs, firearms, forged documents, money laundering services, and various other illegal goods and services.

Most of the darknet runs through the TOR network, but other services such as I2P and JohnDonym also exist.

Undoubtedly, stolen data is one of the most popular items for sale on the darknet. There are entire websites dedicated to selling your data, and you can even acquire entire databases completely free of charge.

Unsophisticated criminals can access the stolen data for little to no cost, and use it to make purchases, sign agreements, and forge documents. 

2) Stolen data can be to compromise other accounts

Stolen data can be useful to hackers that want to compromise other accounts owned by their target.

Once hackers gain access to a database, they can find the password hashes associated with a given username, crack the password, and then use it to log in to other accounts. Studies show that over 50% of people use the same password for every account they have, and once a hacker finds someone’s password, they in essence have the keys to their target’s digital kingdom. 

In 2011, the widely revered hacker collective, Anonymous, compromised the accounts of HBGary Federal’s – one of the country’s leading private security companies – chief executive. They discovered that he was using the same password for several accounts, and so when one account was compromised, all of his accounts could be compromised. 

The lesson? Don’t use the same password on multiple different websites. If one website’s database is compromised, then all of your accounts could potentially be compromised. 

With that said, most websites will have security measures in place to protect your password once it’s stored in their database.

When you create an account on a modern web application, your password will be stored in the database as a hash value. A hash is a cryptographic function that converts plain text into a combination of pseudo-random letters, numbers and symbols.

Then, when you go to log in to your account, the website will take the password you enter, convert it to a hash, and compare it with the hash stored in the database. If the hashes match, you will be given access to your account. If the hashes don’t match, you’ll be asked to try again.

For example, the SHA 256 hash of ‘password 123’ is ‘EF92B778BAFE771E89245B89ECBC08A44A4E166C06659911881F383D4473E94F’ 

In secure applications, the password hash will be contained in the database, and every time you log in, the application will check the hash of the password you input with the hash value saved in the database. 

Hashing is fundamental to securing data when it’s resting in a database. The idea is that if a hacker accesses a database containing many passwords, then they won’t be able to see the passwords because they will be stored as a hash value.

However, it’s not fool proof. Commonly used passwords can easily be cracked as their hash value will be widely known. That’s why, in addition to hashing, websites will often implement salting to further secure the passwords. Salting sees an application automatically add a unique value at the end of a password before it’s stored in a database. Therefore, changing the hash value through salting makes it less likely for hackers to decrypt your real password.

So what does all this mean to you? In essence, use a variety of passwords and a variety of usernames associated with your accounts. Ensure your passwords are strong by making them at least 16 characters in length and incorporating uppercase and lowercase characters, numbers and symbols. By doing so, you’ll reduce your susceptibility to dictionary attacks, and will reduce your attack surface should your data be leaked. 

3) Stolen data can be used to doxx people

Doxxing is the act of weaponising someone’s personal data against them, and posting sensitive information such as their address, phone number, or other compromising material on public websites and social networks. 

The internet never forgets, and almost everything you do on the net will be recorded by someone, somewhere. Bad actors know this, and they can use it to collate large swathes of information on their target and expose it to public scrutiny. 

Doxxers look for breadcrumbs, or small pieces of information about their target using various means and sources. They may analyse the metadata of images on websites, look at social media posts, or access breached databases to find the addresses and phone numbers of their target.

For example, if you have someone’s email address, you could enter it into a website such as haveibeenpwned.com and learn more about the sites they visit. This information could lead you to new clues, and the process continues until the attacker has collated a huge amount of personal information on their target. 

The doxxer may then attempt to extort the victim out of money – promising not to post the sensitive information if money is paid – or they may publish it and inform the victim afterwards.

Regardless, doxxing can have terrible consequences for anyone on the receiving end of these attacks, and is now a criminal act in many countries, including the U.K.

Stolen data is widely used in doxxing attacks. Typically, the data that is featured in databases is sensitive by nature, so exposing it to the internet could have serious ramifications for the victim. 

As a general principle of good security, avoid giving out information that you don’t need to, and limit what you share on social media. Everything you do online leaves crumbs behind which could be collected and used by cybercriminals. 

4) Data can be weaponised by nation states

Finally, there’s rising concern among national security agencies around data protection. Put simply, a nation that loses control over its data will in turn erode its sovereignty over time. 

That’s why the rise of social network TikTok in 2020 sparked a row surrounding data protection, with the then-president Donald Trump threatening to outlaw the Chinese based firm. The U.S Government was wary that TikTok, being Chinese-owned, was being used to gather massive amounts of data on U.S citizens. This information could then be accessed by the Chinese Government and used to predict trends in American society, increase division on political topics, and influence society in ways that would deteriorate America’s standing on the world stage.

The 2016 presidential election and the European Union referendum are two prominent examples of occasions where hostile nation-states have tried to sway public opinion and stir up divisions. In these cases, the Russian government was accused of using social media platforms to encourage divisions among American voters, spread disinformation, and promote the candidate of their choice. 

It’s with these case studies in mind that intelligence agencies such as GCHQ warn of the risks of a country’s data getting into the wrong hands. Your stolen data could be used by foreign states to influence you in ways that you might not want to be influenced, with potentially dire consequences for society as a result.

In conclusion

There’s a reason why data has become one of the most valuable commodities on earth. In today’s world, stealing an intangible asset such as data can be more lucrative than stealing a traditional commodity such as gold. Having data puts you in a position of power, and everyone from nation-states to big-tech is always looking for methods to learn more about you.

The solution? Limit your attack surface by creating as few accounts as possible. Use a variety of email addresses to create accounts, and never use the same password on several accounts. And use two-factor authentication whenever you have the chance.

Hey! Can we make it official? 😘

I would love to share my latest ethical hacking, defensive security, OSINT, and anonymity guides with you. But I’ll need you to trust me with something… your email address. I promise not to spam you, and you can count on me to keep your data safe 😇

More Cybersecurity Insights & Analysis

Fifteen Steps to maximising firefox privacy 🔒✅

Download the complete FireFox checklist that I give to my counter-surveillance clients – completely free of charge! I will take you step-by-step through advanced Firefox Configurations that will help you maximise your privacy, security and anonymity. 

Enter your details below and I will email it to you straight away. And don’t worry, your data is safe with me 😇

Access free subscriber only content 😘

I would love to share my latest ethical hacking, defensive security, OSINT, and anonymity guides with you. But I’ll need you to trust me with something… your email address. Your data will be encrypted and I will never sell it to third parties 😇

UK Cybersecurity Company

About Aitken Security

Aitken Security is a UK Cybersecurity Company specialising in offensive and defensive security.