author photo
By Clare O’Gara
Mon | Feb 17, 2020 | 8:02 AM PST

In a world where everyone is connected and everything is accessible at the push of the button, how important is your data, really?

And how significant can it be when this data gets leaked or stolen?

According to two students at Harvard University, it poses a more serious risk than most realize.

Harvard students think like cybercriminals

For the final project in their Privacy and Technology computer science course, Harvard sophomores Dasha Metropolitansky and Kian Attari wanted to answer a question.

"The immediate response to a company being breached is fear and outrage, but quickly the public response dissipates and people move on with their lives," explained Metropolitansky.

"What hacker has time to go through hundreds of thousands of login credentials and break into each one of them? Most of us just think we’re average individuals—why would a hacker want to target me or you if we’re not especially powerful or prominent?"

But is that logic really true?

To find out, the pair needed to think like a cybercriminal, and that meant going to the Dark Web.

What did Harvard students find on the Dark Web?

"The hackers and malicious people who would exploit this kind of data can find it pretty easily," explained Attari about their investigation.

Using the anonymizing Tor software, the pair managed to find a number of forums on the Dark Web where hackers share data leaks.

They found a dataset from the 2015 Experian breach with information on over six million individuals.

They decided to pursue a subset of this information, so they focused on data the that forum said was related to the Washington D.C. area.

Based on that search, they located more than 40,000 unique email addresses.

Next, they used one of the Dark Web's many archiving sites, where you can plug in an email address and discover all the data leaks in which that email appears.

That information led them to credentials, passwords, and usernames.

Once they rejoined this information with the Experian dataset, they connected each online presence to a real-world identity.

That's scary stuff.

"What we were able to do is alarming because we can now find vulnerabilities in people's online presence very quickly," Metropolitansky said. "We also showed that a cyber criminal doesn't have to have a specific victim in mind. They can now search for victims who meet a certain set of criteria."

What's the risk of leaked data?

Needless to say, we're lucky these students were only doing research for a college assignment.

The information they managed to find on the Dark Web can do a lot of damage. This is what they discovered, according to the Harvard School of Engineering:

In less than 10 seconds Metropolitansky produced a dataset with more than 1,000 people who have high net worth, are married, have children, and also have a username or password on a cheating website.

Another query pulled up a list of senior-level politicians, revealing the credit scores, phone numbers, and addresses of three U.S. senators, three U.S. representatives, the mayor of Washington, D.C., and a Cabinet member.

And the students are very aware of the data they collected.

"Hopefully, this serves as a wake-up call that leaks are much more dangerous than we think they are," Metropolitansky said. "We're two college students. If someone really wanted to do some damage, I'm sure they could use these same techniques to do something horrible."

And if two college sophomores can discover your data for a final project, what's stopping hackers from making their living off of it?

Comments