As I was scrolling through my usual feed this morning consisting of ten different platforms with ten similarly guarded accounts, I came across the news that a recent malware exploit, dubbed “gooligan” compromised 1 million Google accounts. The exploit roots your phone (if it is running any flavor of android 4 or 5) and compromises authentication tokens. The process continues by installing unwanted apps to your phone linked to the malware, and rates them to raise the app’s reputation. People (not including myself thankfully because I run the latest OS [Nexus and Pixel users get special treatment]), then flocked to usual safe havens like haveibeenpwned.com or checkpoint.com to see if their details were compromised. If details were compromised, users have to evaluate their situation with a list of questions:
- How many accounts was my Google account linked to?
- Do I use the same information for multiple outlets?
- Why haven’t I changed my password in over two years?
- Did I feed my dog this morning?
After the initial evaluation happens and minimal measures taken, the user moves on – typically not changing their habits. Unsurprisingly, these compromising situations are becoming more and more common each year. Thankfully 2015 is still one of the worst years for data breaches, including the more famous one involving Apple and 225,000 accounts. However, 2016 saw more popular platforms compromised like Linkedin, Snapchat, Dropbox and Yahoo (honestly the AdultFriendFinder compromise was poetic justice).
These checker websites that aggregate these breaches scan the breaches that are sometimes made publicly available, but other times are bought from the darkweb for thousands of dollars through bitcoin. Troy Hunt, who is the creator of haveibeenpwned.com would sometimes buy the data, and then release it in an effort to encourage people to actually change their credentials and be more mindful of their password management. But the problem with that was small pseudo-hacker groups like ourmine would take this information and compromise other accounts of people who used the same credentials across services.
Ourmine has an interesting business platform: they run evaluations of your accounts which consists of them trying to breach it for a price. If breached, they offer consulting services, but if not, you’re still out at least $10. However, Ourmine’s viral marketing platform consists of digging through these publicly made archives by real hackers, finding high profile people who might’ve not changed their details, and then leaving fun messages on their accounts like “don’t worry, we are just testing your security.” Their most recent newsworthy “hack” consisted of exploiting VidIQ, a YouTube analytics and channel management platform, to change the metadata of famous YouTuber’s videos.
We do everything on the internet from banking, to social media, to even shopping, and in the process of doing so, we’ve given up the one quality that separates us from objects: control. We not only submit our information on a daily basis to private companies who do God knows what with our information, but we entrust these companies that we use with our personal data. We’ve given up security for convenience and it looks like we don’t even care remotely about the former. The best we’ve come up with so far is two-factor authentication and even that is still vulnerable. We are expanding our systems and services to far reaching horizons, but at the same time we’re slowly losing our own sense of self in the process. Are we individuals anymore, or have we now become data blended into a publicly leaked repository.