Before Germany’s Massive Hack, We Learned What Not to Do With Sensitive Stolen Information
A new massive hack and leak in Germany renews the debate over how to cover and share sensitive stolen data.
Someone has been publishing a massive trove of sensitive personal information—including phone numbers, private chats, family photos, and documents—of dozens of German politicians in what some are calling “the biggest hacker attack” in the country’s history.
The leaks first attracted widespread attention in Germany, and subsequently around the world after news outlet RBB first reported on a Twitter account that spread the data. (Twitter has since suspended the account.) The person or people behind it had been posting links to the stolen data since early December, but apparently very few noticed until Thursday, after YouTube celebrity Simon Unge revealed he had been hacked too.
The hackers behind the leak appear to have carefully disseminated and backed up the files online on several platforms to avoid takedowns. According to the security expert known as The Gruqg pointed out, the data had been uploaded to as many as 161 different locations online.
As of Friday, we don’t have many definitive answers about what’s going on: who is behind the persona used by the hackers who painstakingly and slowly published the data online? How did they get all this data about so many different people? What are their real motives?
These answers will probably only come after a long investigation. In the meantime, as journalists and readers, we must be very careful. There’s an inherent and almost irresistible allure to hacked private data, but we need to ask ourselves if it’s worth boosting it and spreading it further, especially considering that we do not know who stole it or what their motivations are.
This is of course not the first time hackers have dumped stolen or hacked data online with the apparent goal to cause a ruckus and attract media attention. Most famously, months before the 2016 US presidential election, Russian spies posing as a lone Romanian hacker started publishing documents allegedly stolen from the Democratic National Committee. In the following weeks and months, the data slowly dripped online, both via the spies’ online persona (named Guccifer 2.0) and via WikiLeaks, which then also published emails stolen from Hillary Clinton’s campaign chairman John Podesta.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
The modus operandi of these kind of hack and leak operations is very well known at this point, and has been refined over the years.
In 2014, North Korean hackers broke into Sony Pictures and started dumping thousands of emails of Sony executives. Just like they would two years later with the DNC and Podesta leaks, journalists eagerly plowed through the messages highlighting even the most trivial of stories, such as a Sony executive’s choice of pubic hair product. In that case, news stories were written about private citizens, many of whom were average people who had done nothing newsworthy or wrong.
Similarly, the Podesta emails barely contained anything incriminating or scandalous, but simply because they were stolen and private emails of a prominent political figure they, felt salacious and were endlessly picked over.
In 2017, hackers targeted Emmanuel Macron, then candidate to become France’s president, with a similar leak ahead of the elections with the apparent goals of causing political uncertainty.
Of course, these are all newsworthy events that need to be covered. But by recklessly highlighting stolen data—especially if it’s highly personal—journalists, readers, and the people who share the documents run the risk of not only hurting hacking victims again, but also promoting the hackers’ agenda. As witnesses and narrators of current events, we hold a lot of power and we need to use it wisely. Our megaphones are powerful and need to be tuned and used in the right way: report the news without furthering the agenda of hackers or spies.
On Friday, for example, some journalists and media outlets published screenshots of the hackers’ Twitter profiles used to disseminate the German politicians data without redacting links to the hacked data itself, which at the time were apparently still live.
Disinformation expert and Johns Hopkins professor Thomas Rid warned on Twitter that “it is highly unethical to further publicize access to all the private data of so many prominent, high-interest individuals.”
John Hultquist, the director of intelligence analysis at security firm FireEye, told me that we should exercise caution here.
“Just like a interview that has been edited unethically, we may be getting a purposely misleading view,” he said in an online chat. “I think we should focus on why these things were leaked rather than what was leaked.”
It’s time to prove we can learn from our mistakes and think carefully about what kind of information we're spreading before we Tweet and post about it on Facebook as we did with Podesta and other previous hacks and leaks.
“I hope we learned that lesson after 2016,” Hultquist said.
Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.