What I’ve Learned About the Brokers Who Trade Passwords by the Millions

In my work running the data breach service Have I Been Pwned?, I'm constantly exposed to individuals dealing with the spoils of hacked websites. Sometimes it's just a small collection of usernames and passwords from a relatively inconsequential forum, other times it's tens of millions of records of data that has a truly negatively, life-altering impact on those who've been exposed. Yet regardless of the impact, a major data breach is frequently followed by the mass redistribution of the data, and "traders" play a very active role in how it's spread.

It usually begins with a private message: "Hey, have you got LinkedIn? Want it?" If it's not LinkedIn, then it's MySpace or Tumblr or some other breach of an online asset. The message comes from an account with some form of non-personally identifying avatar, perhaps symbolising how hackers are frequently portrayed online—so hoodies, green screen, random segments of binary, that sort of thing. The account name is equally anonymous, frequently in leetspeak or with segments of hexadecimal code or other security-related symbolism.

It's almost certainly a young man behind the account, perhaps not yet an adult or possibly having arrived there very recently. They're at home or in another safe environment, usually connected over a VPN or another anonymising service. It's not that they believe what they're doing is wrong; rather they, have a healthy distrust of authority. To a degree they're right: even though many wouldn't like to admit it, redistributing material of this nature may well not be received too well, particularly within the jurisdiction of the United States' CFAA law.

I don't ask where the data has come from because I don't want to know. I mean, they make representations of whose system it's come from and obviously that's important information, but I don't want to know how they came to be in possession of it. In many ways, that's inconsequential information and whether they exploited the system themselves or obtained it from another trader, it remains something that occurred in the past.

In many ways, it's the traders that intrigue me the most. Some of them are simply hoarders, collecting and archiving data because… well, they're often not sure themselves. Maybe it'll come in handy one day. Others relish the challenge of password cracking—a breach appears with a weak hashing algorithm and it's game on to see who can resolve the greatest proportion of them back to plain text.

But there are also those who seek to commoditise the data. They're looking for remuneration to redistribute hacked accounts either privately or via darknet marketplaces. Others create shady services with a thin veneer of legitimacy to capitalise on the misfortune of those adversely impacted by the incident.

Data breach traders never expect to get caught. There's almost always an outwardly facing sense of bravado, their resolve strengthened by virtue of those fabricated avatars and handles protecting their true identities from behind masked IP addresses. They feel safe, often invincible, and rarely uncertain about anything. They travel in circles where reputation is important and a healthy degree of confidence and strength is required to establish themselves. That's not that different from many of our societal circles, but it's amplified when you can fabricate whatever identity you like.

There are many parallels with those of infamous online identities who've eventually misstepped. When we've seen these individuals de-cloaked—often very publicly and often amidst legal dire straits—the underlying personalities are frequently very… different. They're regular people; polite, courteous, often shy. Many of them are actually quite extraordinary and turn out to be highly intelligent individuals with genuine smarts.

The worry I have for these guys is that the path they're going down with the expectation of anonymity and invincibility can be hugely detrimental should their underlying identities be exposed. Of course they're convinced that'll never happen, and that only compounds the problem as they take increasing risks. I mentioned the CFAA earlier: federal prosecutors have talked about sentences which rival murder charges for what seem like comparatively innocuous events.

If there's one thing I'd encourage anyone dealing with this class of data to do, it's this: act as though they're not anonymous. If they feel uncomfortable with actions of the nature described above being attributed to them personally and believe anonymity is necessary, now's a really good time for them to think about why that may be and ultimately, how sustainable that is.

The Hacks We Can't See is Motherboard's theme week dedicated to the future of security and the hacks no one's talking about. Follow along here.