Welcome to the Nexus of Ethics, Psychology, Morality, Philosophy and Health Care

Welcome to the nexus of ethics, psychology, morality, technology, health care, and philosophy

Wednesday, March 2, 2022

Despite Decades of Hacking Attacks, Companies Leave Vast Amounts of Sensitive Data Unprotected

Cezary Podkul
ProPublica
Originally published 25 JAN 22

Here is an excerpt:

Americans rarely get a glimpse of hackers, much less what their work entails. They might be surprised to learn how little experience is needed. People often think hackers are highly sophisticated, Troy Hunt, creator of data breach tracking website Have I Been Pwned, told ProPublica. But in reality, there’s so much unsecured data online that most of the 11.7 billion email addresses and usernames in Hunt’s collection come from young adults who watch a few instructional videos and figure out how to grab them for malicious purposes. “It’s coming from kids with internet access and the ability to run a Google search and watch YouTube videos,” Hunt said in a 2019 talk about how hackers gain access to data.

Hiếu was once one of those teenagers. He grew up in a Vietnamese fishing town where his parents ran an electronics store. His dad got him a computer at age 12 and, like many adolescents, Hiếu was hooked.

His online pursuits quickly took a wrong turn. First, he started stealing dial-up account logins so he could surf the web for free. Then he learned how to deface websites and abscond with data left exposed on them. In high school, he joined forces with a friend who helped him pilfer credit card data from online stores and make up to $500 a day reselling it.

Eventually fellow hackers told him the real money was in aggregating and reselling Americans’ identities. Unlike credit cards, which banks can cancel instantly, stolen identities can be reused for various fraudulent purposes.

Beginning around 2010, Hiếu went looking for ways to get detailed profiles of Americans. It didn’t take long to find a source: MicroBilt, a Georgia-based consumer credit reporting firm, had a vulnerability on its website that allowed Hiếu to identify and take over user accounts. Hiếu said he used the credentials to start querying MicroBuilt’s database. He sold access to the search results on his online data store, called Superget.info.

MicroBilt spotted the vulnerability and kicked Hiếu out, setting off a monthslong standoff during which, Hiếu said, he exploited several vulnerabilities in the company’s systems to keep his store going. MicroBilt did not respond to requests seeking comment.

Tired of the back and forth, Hiếu went looking for another source. He found his way into a company called Court Ventures, which resold aggregated personally identifiable information on Americans. Hiếu used forged documents to pretend he was a private investigator from Singapore with a legitimate use for the data. He called himself Jason Low and provided a fake Yahoo email address. Soon, he was in.