I finally got around to reading this month's Wired (UK edition). One article in particular made me stop and think: "Hacker Tracker". This is an interview with Troy Hunt who has set up a website called haveibeenpwned.com. By entering your user name or email address, you can find out whether your details have leaked and by whom. His website searches a dataset currently containing 345million hacked accounts.
Out of interest, I entered a couple of my personal email addresses into the tools. For me, I peaked at three instances of hacked accounts: Adobe, LinkedIn and tumblr. The website tells you the hacked account and what data leaked. In all three cases, the hacked data contained my password and email address. Adobe went further as it included my username and password hint.
My initial reaction was, "Phew, that could have been worse". But, if I'm honest, my first reaction was more like, "Oh, I forgot I had a tumblr account!". One fear is that people tend to use one password for many sites. I wasn't worried about this as I use a password manager to manage different passwords for each site. I'm also a strong advocate of using two factor authentication where ever possible. But still... it makes you think. When registering, how many times are you asked to provide other information? Date of birth? Favorite pet? Mobile phone number? You do have to ask, why do they need this information? Is it essential and would they not be able to provide me a service without it?
And in isolation, much of this data might seem harmless. But it becomes scary when you consider that data breeches are not uncommon. When you combine data from many sources, a hacker is able to build a more complete profile of an individual. With this profile, could they undertake social engineering attacks to conduct further hacks? Or combine with other anonymous data sets to actually identify an individual?
Consider the companies that got hacked: Adobe and LinkedIn. Not exactly startups. But think of how much personal information I have entrusted to LinkedIn. My entire work history is there along with a social graph of my professional contacts. We are trusting that they will look after and protect our data. But how do we determine who to trust? Do we even stop to consider it? Should we? And what hope is there for startups to secure our data if established companies can't? In fact, are smaller companies able to determine a hack has happened?
As software developers, we can sometimes be too focused on getting a feature working. Maybe exasperated by Agile and lean methodologies. Delivering smaller chunks of functionality that enable the customer to confirm our approach. Even so, we should never loose site of security. We should ensure its ingrained in every feature or user story that we implement. All too often it can be an afterthought. Increased agility can be double sided where trust and reputation can be ruined in an instant.
So have you been pwned? Why not check at haveibeenpwned.com