Just how much data do you volunteer in social media?

Most of us spend a great deal of time on social media in one form or another. I know that I do for a myriad of reasons. I seek entertainment, spreading humor, gather information, keep up on the daily news that I need to go fact check to make sure I am getting the truth, and even run a micro home business.

We know that we are giving up data to the social media host of course as we provide information in getting the account.

To use Facebook as a generic example (you can really use any social media platform for this discussion.) it will only take a few minutes of scrolling in your ever growing feed to find your self participating in fun interactive memes and discussions.

Have you seen the memes that ask what was the number one song the year that you were born? Well many of us are aware that one of the common security questions is “What was the first concert that you went to?” Oh, so many fall for that one every hour. Even with the wise commenting that it is a security question… sigh, so I and other that are like minded like populating the answers with smart alec responses to pollute the data that the scrapers are gathering.

For all intents and purposes scammers can either post those memes to directly get the responses or they can just pull data in from other people’s posts as long as they can read them. the data that they want? well it could be anything.

Here is where I am starting to take the discussion to help you learn something important. Something that many do not consider. We will call it a value add for your reading this far and actually caring.

Let’s suppose that instead of being a white hat (at least mostly white, or white by day and maybe some shades of gray after hours) cyber professional working for the betterment of humanities cybersecurity… I am a black hat who had relocated to a nation without an extradition treaty with the United States. Why would someone want to do that? Well with black hat cyber skills it can be lucrative and here is a possible option.

Set up a nice server room with a very comfy desk or recliner. Learn how to build databases. They are not hard to learn, they do take forethought to build them effectively to house enormous amounts of data.

At this moment it is very likely that your username and password has been compromised in some data breach in the past. (there are scam emails that rely on this data, I think I have described it in the past) There are places on the web that you can find repositories of usernames and passwords that were stolen and posted for others to use. Sometimes it is free to download and other times, it is for sale.

If I take a few of the free collections, I can add that to my database (think of it as an excel spreadsheet on steroids). Perhaps the file had email addresses and passwords. The low hanging fruit would be to try to access the accounts since so many rarely change their passwords. If I can get in, I might download all of the email and examine it for other data such as your name, location, family members pets, think of all that you have sent in emails. Each of those items get added to the database.

Remember that the initial data gathered was free. Perhaps it COULD have been sold but not for much. The price would be in cryptocurrency so that it is less trackable or at least harder to track. Do not let people make you think that it cannot be tracked, that is movie madness. Maybe you started with 1000 email addresses and passwords.

So you started with 1000 usernames and passwords, and after a few hours of login attempts, perhaps you used a testing script to complete the tests in fifteen minutes. You ended up with the passwords of 100 poor suckers who never change their password. To be very honest, I think that there will be more due to password reuse [link]. So now you have a new table with known good email accounts.

When I was doing ISP tech support, I frequently heard “It is just dumb email, if someone want to get my recipes or bad jokes form my family, they can have them.” Oh, my… what a treasure trove. A few paragraphs ago I mentioned the kind of data gathered from a live email account. So now your tables have linked the person’s name with the email address and if there are signature blocks, perhaps street address, city, state, country, phone number. If you wanted to sell that data, its value has gone up a little.

With all that email that you downloaded, you also identified family members. Those records get copied to another database, this one to use for trying to scam the users family members out of their money as they pay to get bail, medical attention, bail, or who knows what ploy they will use for their deception? Now I have two databases to sell.

Now I try to see if I can log into your social media accounts using those email addresses and passwords. Maybe I am able to get access to fifty of those one hundred? why so many? well, remember that they are already password reusers, so why expect that they will be better with their social media accounts?

Think of your social media account and how many friends that you have there. More data to feed into the master database as being connected to the victim. I do some scrolling through the feed and I see that they identified their first job (clickety click into their records) and their first car was a 79 Celica ((clickety click into their records)… oh look their profile shows that they graduated from Gullible State University in 87. You guess it, (clickety click into their records). This person’s record keeps getting more to it and each added element makes it more valuable. I find more and more family, job history, favorite sports teams. Have you recognized how many security questions may be answered with this data? I may have enough gathered data to try logging into the victim’s bank account, or even open a line of credit after all I know the answers. If I can get into the bank account, think of the transactions I can make. I could buy cryptocurrency online and trade it back and forth through a myriad of wallets or other transactions to make it difficult to track it back.

Now that I have stolen the victim’s money, I can use it to purchase more equipment, or buy more ill gotten data to add to my database, always seeking to build it for a better sale price. When you have thousands of live and accurate records with a ton of supporting information that price tag keeps going up. Remember that when selling data, you sell it over and over. There is no physical inventory to run out of.

Maybe my database was only worth 20 bucks per copy since it was small, but with a little knuckle grease (remember, just typing not actual elbow grease) I improved the data to be worth $500.00/copy.

Remember that there was the second database for scams? I can use AI voice tool to make convincing replicas of the victims loved ones if I can get a sample of their voice. Maybe I called them to a bogus survey to get that sample. Now I can call their mother, using that replicated voice to convince mom that I need bail money. Pick a scam there are thousands of variations.

Since I have all of those email addresses stored from getting into those mailboxes, I can add them to a third database to use for phishing emails. Just spray those email addresses and any other email address that I can collect from the web. Someone running a phishing campaign generally only needs a 1% win rate to stay profitable. (Please for all that you care about watch for red flags and do not fall for these emails) Does your employer have an email contact directory online? Perhaps and org chat that shows the person, their name, email, and maybe their desk phone? (clickety click into their records) yes more tables, with even more data. Those company based records got into another database. they may be handy for other types of attacks. Surveillance phases perhaps to see if I can gain access to the corporate network to obtain yet more data. If I can get into the HR systems, will I find social security numbers nicely paired with all of the other employee data? Some days it can be too easy. Maybe I can access the networked printer in HR. Most modern printers are just computers that print. They have hard drives. Is your corporate printer also a scanner, perhaps used to scan driver licenses and social security cards to process an I-9 form for the IRS? Yeah, there is a hard drive that stores that data in the scanner/copier that might be nice for me to get in to. Driver licenses…. yep, you guessed it…. (clickety click into their records) This data is getting quite valuable now.

With all of this data and being connected to family members… I wonder if I found any adult oriented associations or proclivities during my hunting. [In my profession, I once stumbled onto an employee that I did not know personally soliciting prostitutes via his email.] Now if the victim is not worried about intruders in their email box, this information could be used to blackmail them. How much would they pay to not have all these sordid details posted online? Or how much to prevent their significant other from getting a phone call? Just transfer a certain amount of crypto currency to me and I will delete your record. I wont really delete the record, but I will mark it as used. I will still sell it to others for their use as they see fit.

It isn’t just the big companies that make a killing off of you playing on social media, it is criminals world wide. This is one of the reasons that cyber professionals are well compensated. With what I understand and can do, I would be quite dangerous if I retired overseas. I am here teaching you how to protect yourself. It is where I get my reward, that and any ad clicks that happen in appreciation. Money is good, but as long as my family is housed, clothed, fed, and loved by our dogs… then I am happy.

If you came away with nothing but an understanding of how those silly meme games sneak valuable data out of you then it is a positive step. Stop and think before you reveal personal information. It does not take much to turn it into Personally Identifiable Information.

Credential Stuffing

I know that you must get quite tired of hearing about your password. We tell you to keep it strong, use multi-factor authentication, blah blah blah…

We often hear the same kinds of responses back, but it is just my email… I have nothing of interest in there. Yes, we know… and we sympathize. In the end we are just trying to help you. I have had other posts about the significance of strong passwords, I have talked about password lockers/services.

Lets talk about a different direction. Credential stuffing. Now, I am going to admit that the phrase was one that I had seen, but never looked into. As you can imagine, in my role, I encounter a ton of new terms and phrases and often do not have to time to keep up on them all. I will try to do a better job of selecting one and sharing it with you so that you can get nuggets of skills along the way with me.

When we have talked about passwords in the past, I have mentioned that when companies have their networks get breached and data is stolen, sometimes that data is our personal data, but sometimes it is our username and passwords.

Since we on the whole (myself included but I am getting it fixed) are horrible for password reuse, this makes credential stuffing a danger.

So Mr. Blackhat gets their hands on a data dump, they then build a spreadsheet with your email address(es) and the password(s) that you have been known to use. Since the majority of the United States banks at one of a few national banks, they start testing to see if they can log in. if they can… great!

Fortunately banks are getting smarter and are pushing us all to more secure login methods. If you bank is behind the times, AND you use one password all over the internet, you may well become a victim.

I wish I could tell you how many times I have seen “my [social media account] got hacked”. They were probably not hacked at all. they likely either fell for a credential harvester scan, or… were reusing their social media account password on other services that were compromised.

This brings us back to the common pleas of the cybersecurity professionals. Please, PLEASE, use strong and unique passwords and when you are able to, enable multi-factor logins. Yes, it is that important, unless you feel that donating your funds to who knows what country is a suitable form of charity work, one that you cannot even deduct form your taxes.

Why is password re-use a bad thing?

Using the same password across multiple accounts is generally not a good idea for the following reasons:

Security Breaches: If one account gets hacked, the hacker will be able to access all other accounts using the same password.

Lack of Complexity: It is difficult to create a complex password that is unique for each account. Using the same password may mean using a less complex password that is easier for hackers to guess or crack.

Phishing Attacks: Phishing attacks can trick users into revealing their login credentials. If the same password is used across multiple accounts, the hacker can use the stolen credentials to access all the other accounts.

Personal Information: If a password is compromised, a hacker could use personal information from one account to guess the passwords for other accounts.

Compromised Devices: If a device is lost or stolen, a hacker may be able to access all accounts that use the same password.

Overall, using the same password is risky and could lead to a significant compromise of your online security. It’s always recommended to use unique, complex passwords for each account and enable two-factor authentication whenever possible.

Password Security

As I pondered how to best discuss password security, I wondered if I could find a nice history of when passwords came into use and how badly they have been handled over time. Little did I know, we have been quite bad with them since their inception. The resource I found for the subject did such a wonderful job that I am opting instead to wrap his original work into this post. Major credit and props to Troy Hunt for his wonderfully crafted article, https://stealthbits.com/blog/a-history-of-passwords/. I do hope that you will give it a full read and perhaps click on an ad while you are there to show appreciation of his work. I have also been a fan of another piece of his work; https://haveibeenpwned.com/ which is a site that I have used many times. This is a site that will tell you if your email address has been discovered in one of the many multitudes of email/pswd caches out there. If you find your email address is listed there, just reset your password and move on. There is no cause for alarm unless you have that email address tied to something like… your back account. Now if you are one who abuses password by reusing the same one all over, then you may have an issue. If that is the case, then it is time that you start changing up those passwords so that one compromise doesn’t hand over the keys to your email kingdom. Oh I can hear you know… but I don’t have anything worthwhile in my email box, nothing that anyone would find interesting. Sound familiar. think of all of the places that you give your email address to in order to log in or perhaps to verify your existence. How many accounts do you think a black hat hacker could gain control of just by being able to lo into a web mail utility somewhere posing as you with your oh so clever password (yeah Password1)?

Really read Troy’s article, drink it in as it will help you understand why passwords are a bigger deal than you may think. If you want to discuss the topic more, please, drop a comment below. If you liked this article, please come back for more and feel free to mash an ad on your way in or out to help the cause.

Password Reuse and You

We could talk about password strength and safety first, but it is likely that you have heard that time and time again so I will slide that one down the priority list a bit.

There are storehouses of passwords that belong to compromised email addresses. You may have gotten a phishing email that claimed to have your password. One that I have seen provided a somewhat censored version of one of my old passwords.This typically comes with a ransom demand.

The way that these situations happen is the result of human nature. It is all too easy to use the same password on all of your online accounts. They keep increasing the password complexity and there are so many to keep track of.

When a website that you use gets hacked and the username/password database gets stolen that data gets sold off. The majority of Americans bank at one of five major financial institutions. If the criminals have control of your email address (or as we say in the industry, pwns) they can get passwords reset. If they get as far as getting your bank password, where does that leave you? It doesn’t take much imagination to see how bad that can be.

If you have a list of usernames/passwords it is like having a ring of keys. You can do some poking of common email providers and other services to see if those usernames and passwords open the door allowing criminals inside.

Has your email password ever been compromised? Maybe you had to change your email password because you started getting weird email bounceback messages. Would you like to see if your email address has been discovered on a list for sale, or just out for public consumption? Try this link. (I have a few email addresses that have been blown, so don’t feel badly about being listed.)


Where do you go from here? Regardless of being compromised in the past or not, you can help protect yourself from this moment forward by starting to use different passwords for each account. This is where a tool to track your passwords in a secure manner is important. There are many password storage tools out there. Some are subscription based, some are free. This is not an endorsement, but I can say that I have had good experience with Password Safe. Some of the important aspect to consider is that the tool stores your usernames and passwords using encryption, and that the tool is easy for you to use. If it is not easy, you won’t use it.

Please feel free to share your experiences in the comments. Maybe you have a password storage tool that you feel is wonderful, share it with the group. I am always happy to look over new products. Perhaps your input will give the rest of us a better tool to help us in staying safer.

Enjoy the day, and be good to those around you.