When is a breach not a breach? When there are too many unanswered questions, apparently. Have I Been pwned (HIBP), the database of breaches, is owned and operated by Troy Hunt who performs due diligence on each breach before adding it to HIBP. A recent supposed breach of Badoo account information was presented as a breach to Hunt who then did his normal checking and cross checking of the data to verify its veracity. Hunt, unfortunately, could not come to a definitive conclusion about whether the data actually came from Badoo. Per Hunt:
“[S]ometimes there are breaches where I just can’t be certain of the authenticity, yet there are many indicators which point to an actual breach. The incident sits in that grey area between “very unlikely to be legitimate” and “almost certainly legitimate”.”
Hunt’s post on the analysis of the ‘Badoo’ data and his introduction of ‘unverified breaches’ can be found here, but whether a breach is a verified or unverified breach seems to boil down to these basic factors:
- The service provider confirms (or denies) there was a breach
- The data itself is consistent and has sufficient detail (or not)
- There is confirmation (or denial) of data accuracy from breached users
- Testing of the data against the site’s password reset tool is successful (or not)
If it does not pass all of these tests but looks like data from something then best be safe and report it, even if it has to be qualified as unverified.
What does this mean to end users? Despite the new ‘unverified breaches’ category, I see the end result for the user as the same; you need to change your password and change it now. Changing your password because it might be used by someone else has now become the Internet equivalent of turning around at the end of the block and driving back home to see if you left the iron on. Just do it, it’s usually really simple, and you’ll sleep (and drive) better.