SANTA ROSA, CALIF. — Chances are your private data has probably been available on the web for any random visitor to read. And you may not even be able to blame hackers or identity thieves for it.
Instead, somebody at a company that collected or handled your information — maybe a wireless carrier, maybe a software firm with a mailing list, maybe a political research firm trying to put you in one likely-voter box or another — may have left it vulnerable on their own. And this happens often enough for a security researcher to make finding these exposures his speciality.
What’s more, there’s really not much you can do about it short of becoming a digital hermit.
A boom in breaches
Chris Vickery, director of cyber risk research at Upguard Security, has a simple theory for why he keeps finding databases open.
“I would say convenience is probably the biggest reason,” Vickery said during an interview at a coffee shop in this Sonoma County city where he works remotely for his Mountain View, California employer. “It’s easier just to have it open to everybody.”
At best, he added, some hapless employee doesn’t think they left the data exposed or believes nobody will stumble upon their attempt to ease telecommuting.
The biggest such example Vickery found to day was some 200 million voter-registration records that a Republican National Committee contractor left publicly accessible.
For example, the 13 million account credentials from the Mac-software firm Kromtech that Vickery found in 2015 could have been used to hack into other accounts “secured” with the same passwords.
The 6 million Verizon (VZ) wireless subscriber records Vickery found last month included some account passcodes that an attacker might have used to defeat two-step verification security that confirms strange logins with a one-time code texted to your phone.
(Verizon’s media division Oath owns Yahoo Finance.)
And the 87 million Mexican voting records he uncovered in 2016 could have been exploited by drug traffickers to compound the country’s plague of kidnappings and murders. Vickery recalled one immediate reaction: “You cannot let the cartels know about this.”
The 32-year-old’s work has won endorsements from other security researchers.
“Chris has been enormously effective at sniffing out exposed data left at risk in all sorts of obscure places,” said Troy Hunt, an Australian researcher who runs a data-breach index called Have I been pwned? that can reveal if your accounts have been exposed.
How to find a breach
Vickery said the easy part of his job is finding these databases, thanks to a searchable catalogue of publicly-accessible devices called Shodan and automated scanning tools that can quickly detect databases left open.
“The amount of data that comes back isn’t a ton, but it happens at a very, very fast rate,” he said.
At no point, he said, does he engage in hacking or impersonation of a legitimate user.
“If you have a password or a username set up, I’m not going to go any further,” he said. “I don’t trick anything.”
If a search locates apparently sensitive data, he will download a sample to confirm that it represents material that should have stayed private. He usually doesn’t bother looking for his own info, but he has not been amused when he finds it — such as in a leaked voter-registration database in 2016.
“I looked myself up just to see if it was legit, and it was all my data,” he recalled “I was pretty pissed.”
Then he will try to notify the affected company. That hasn’t always been easy. Kromtech, the maker of the often-scorned security app MacKeeper, didn’t respond to his queries until he posted about the problem on Reddit — though after securing the data, the firm hired him to blog about security issues.
Hunt, the Australian researcher, recently met even more egregious resistance when a British firm selling family discounts for things like theme parks blocked him and others on Twitter for tweeting about its lax security.
“I used to start at the bottom, calling the receptionist or something,” Vickery said. “Now I’ll start with the breached data and then find the CEO’s home number and call him at dinner. That usually gets a faster response.”
Unhelpful responses and an unhelpful law
But a response accepting his findings can still come seasoned with denial. Vickery advised against trusting the common excuse that only he saw the exposed data — many companies don’t keep the access records needed to prove that claim.
“They can say that plausibly because they’re not keeping logs,” he said.
Vickery said he has also received the occasional legal threat, despite making a point of not using hacking tools to sneak into sites.
“No law enforcement agency has ever even suggested that what I do is illegal,” he said.
But the 1986-vintage Computer Fraud and Abuse Act applies such a broad definition of online trespassing that a company could feasibly try to sue a researcher like Vickery.
A new bill, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, would exempt more security research from the CFAA as part of a larger tightening of security standards for internet-connected devices in government use. But this law’s vagaries have survived years of talk about reforming it.
Will another round of data-breach headlines change that? We’ll probably find out soon enough, Vickery said. While consumers are now better educated about the scope of the problem, companies keep making the same mistakes.
“I think things have gotten better in the past couple of years as far as awareness goes,” Vickery said. “But the number of breaches happening hasn’t decreased at all.”
More from Rob: