It’s a common question: What happens to your data after a hacker steals it? Understanding the nuts and bolts of an attacker’s post-hack routine is not only interesting, but it could also help you minimize the damage if your data is stolen. (Note that the following information is a general overview of the most common steps a hacker takes to monetize stolen information. Individual cases may vary and this does not apply to nation-state actors that hack for reasons other than making money.)
Once an attack has happened and the criminal has your data, he or she likely runs through the following steps, which we like to call, “A Hacker’s Post Breach Checklist:”
Inventory the stolen data – Hackers will look through the stolen data files for authentication credentials, personal information like names, addresses and phone numbers, and financial information like credit card details.
Sell personal information – Next, the hacker will package up personal information like names, addresses, phone numbers, and email addresses and sell them, typically in bulk. These are more valuable the more recent they are. According to Quartz, a full set of someone’s personal information including identification number, address, birthdate, and possibly credit card info costs between $1 and $450 with a media cost of $21.35.
Look for the good stuff – Hackers will then inventory authentication credentials further and look for potentially lucrative accounts. Government and military addresses are very valuable, as well as company email addresses and passwords for large corporations. Since people often re-use their passwords, hackers can often use credentials for military or corporate accounts to target other companies. For example, Dropbox was breached in 2012 using credentials stolen in the LinkedIn data breach earlier that year. A hacker may plan such a hack himself, or he/she may sell the credentials to others on the dark web for a much higher price.
Offload the cards – Financial information like credit card numbers are packaged and sold in bundles. An individual with the right knowledge could easily buy credit card information in groups of ten or a hundred. Usually a “broker” buys the card information, then sells them to a “carder” who goes through a shell game of purchases to avoid being detected. First the “carders” use stolen credit card to buy gift cards to stores or to Amazon.com, then use those cards to buy physical items. The carder may then sell the electronics through legitimate channels like eBay, or through an underground dark website. Read more about the process of monetizing stolen credit card data here.
Sell in bulk – After several months, the hacker will bundle up authentication credentials and sell them in bulk at a discounted price. By now, most of the credentials are worthless since the company has most likely discovered the breach and taken steps to repair it. For example, a database containing the entire LinkedIn credentials dump is still available.
The dark web, in case you’re not familiar with the term, means a set of encrypted networks that have been intentionally hidden from view and require special software to access. Most of the time when people say, “dark web” they mean content hosted on the Tor network, a system of relays that obscures IP addresses. Using Tor or a similar network (there are others, but Tor is the most popular) prevents somebody watching your Internet connection from learning what sites you visit and keeps websites from determining your physical location. Because of this guaranteed anonymity, the dark web hosts many illegal sites, such as the former Silk Road drug marketplace. Selling stolen data usually happens on dark web sites.
So what can you, the consumer, learn from this?
First, make sure you use different passwords for each of your online accounts. That way, even if one is compromised the rest will be safe. Second, act quickly if you suspect your personal information has been stolen. If you have an account with a company that reports a breach, change that password immediately. You can check if any of your accounts have been stolen on haveibeenpwned, a website run by a Microsoft security researcher that searches data breach info dumps. You can’t always prevent your data from being stolen, but by reacting quickly you can minimize the damage.