Interview Despite the hype about state-sponsored hackers, most breaches are actually the result of either criminal activity or "kids messing around", according to breach expert Troy Hunt.
Hunt, operator of the breach notification service Have I Been Pwned, noted that many of the current spate of breach disclosures actually stem from attacks that took place in or around 2012.
“We’ve seen anything on this scale since Adobe,” Hunt told El Reg. “Motives differ with LinkedIn, for example, designed to make money. Sony was state sponsored and Yahoo – if we take them at their word – was state-sponsored.”
Hunt expressed doubt about Yahoo!'s contention of a state-sponsored attack which led to half a billion accounts being exposed, referencing recent research by InfoArmor that offered up the theory that criminals were behind the attack.
“Blaming state hackers has become like a ‘dog ate my homework’ excuse,” he added.
El Reg caught up with Hunt for 30 minutes shortly after he spoke about data breaches and other matters at the ScotSoft conference in Edinburgh on Thursday.
He said that large datasets such as the LinkedIn cache were commonly dumped online by hackers when when they are “no longer profitable to sell”. There are exceptions to this rule such as Ashley Madison, where hackers immediately leaked the purloined data as wide as possible in an effort to embarrass and pressurise the business.
Hunt criticised TalkTalk as “negligent” over its October 2015 reach and criticised the record £400k fine imposed by data privacy watchdogs at the ICO as insufficient to serve as any deterrent.
“TalkTalk was fined 0.02 per cent of revenue, something that will have no impact on its business,” Hunt said. “TalkTalk was hit by a 15 year old kid using free software, not a sophisticated attacker.”
TallkTalk was “negligent” in being unable to defend against the attack it suffered, according to Hunt, a Microsoft regional director and MVP for developer security.
Some breaches can have an effect on share price. For example, the share price of Paysafe dipped before recovering after it emerged that Neteller and acquired firm Skrill had suffered a breach.
Running haveibeenpwned has given Hunt a singular insight into major data breaches, how hackers operate and the weaknesses they exploit within organisations. Some cases show that at least some large organisations are beginning to follow industry best practice of password handling. For example, metadata from the Dropbox breach shows that the organisation was halfway through moving from the ageing SHA1 technology to bcrypt for password hashing. ®