Skip to content ↓ | Skip to navigation ↓

Sensitive data that has been compromised through hacking or or exposure via human and technology errors often results in the information being posted anonymously on public forms like Pastebin and similar venues.

Often it is only because an alert security practitioner or other “nice guy” notices and reports such data dumps that the compromised organization is ever alerted to the breach. The the entity usually scrambles to assess the level of compromise, and begins the laborious task of notifying those who may have been affected, particularly if the breached data includes information about consumers, clients, or business partners.

The good thing is that sites like Pastebin are fairly quick to take action and delete the offending post. While this helps to some degree in protecting those exposed from potentially being victimized, the problem is that the Internet is not so easily scrubbed of such data, as it is often cached or otherwise preserved.

Complicating matters, there are more than a few “dump services” that seek to alert anyone and everyone of the posting of sensitive data my malicious actors. Depending on your point of view, these automated web scraping bots may be seen as helpful in disseminating the information, or may be seen as doing more harm than good by propagating data that should not be broadcast widely.

A friend of mine, security researcher/instructor/consultant J. Oquendo of EFENS!VE Security Strategies, takes the latter position, and has taken it upon himself to create his own automated system that similarly scours the web for data dump sites, but then takes the further step of notifying the affected parties if the leaked data happens to include email contact information.

“So I was bored (ADD/ADHD) and annoyed by these dump accounts (primarily,” Oquendo told me in an email. “So I decided to write a program that looks for data dumps, parses out the email addresses of those affected, then generate a template message: Hey… Your data has been leaked, this is the site that was associated with the leak, and this is the site posting the leak –I call it CounterDump.”

According to an explanation posted by E-FENS!VE regarding CounterDump, the service “aims to notify affected users of data breaches that contain information relevant to them. This can include usernames, e-mails, passwords, social security numbers, credit cards. We offer this service as a form of Internet Public Service. There is no charge, there are no strings, there is nothing to sign up for, there is no spam, no sales. Nothing other than the desire to create a form of watchdog service for netizens who may be unknowingly affected by a data breach.”

Oquendo went on to explain how creating and deploying the service has not come about without more than a few headaches for himself and his company.

“Trying to do something nice, I set myself up as a target for those doing the hacking, as they will likely find out about CounterDump, and breach victims/companies will likely think I had something to do with the compromise, and so on,” Oquendo said.

“I also spoke with lawyers at Stanford University and law enforcement officials to make sure I was not breaking any laws by accessing the data and notifying the victims. I was told to spell it all out clearly, so hopefully that page on our company website is worded correctly,” Oquendo continued.

Now that the service has been up and running for a short time, I asked Oquendo if he had received any feedback on the notifications.

“Well, we notified one company about their data being breached, and I guess someone didn’t completely read the message we had sent them,” Oquendo said.

“They replied with something like: Thanks a lot you [redacted nastiness], you didn’t secure your site and now my credit card information is owned! To which I responded: Uh, you really need to read your email better.

So much for trying to be the ‘nice guy’…


Image courtesy of ShutterStock

Tripwire University
  • Hey there!

    Nice post! I'm the creator of @dumpmon, and just wanted to clarify that my bot simply aims to provide a service which gives the "good guys" the same information attackers already have. I'm glad to see services like Counterdump get started which can take the next step of notification (something I've had integrated into my running bot for a while :))

    Just for my own curiosity – any idea why the creator of Counterdump was "annoyed" by dumpmon? If possible, I'd like to help clear up any issues with the service that may have annoyed him.

    Thanks for writing!

  • Hey Jordan, others. I wasn't annoyed at you per-se, but more of the concept of dumpmon. In your scenario, you're aggregating information which enables attackers to abuse this information. Imagine the following: You see someone on the corner of where you live. This individual has a sign that says: "house on 1 East Main Street (the yellow one with the green striped windows) has just been robbed. Robbers left the door opened too!" For all to see. Rather than notify the homeowner (person whose information was posted), or perhaps the authorities (server administrators, etc.), this individual is potentially setting the homeowner up for further loss.

    It took me a single one liner to take what you had, parse it out, and e-mail those disaffected. I am sorry if you felt singled out, perhaps my article/email seemed as if you were singled out but 1) I didn't want to post "underground" sites that so something similar (see corner analogy above). Your site is publicly visible. 2) Your write up interprets nothing more than: "hey data is being posted. I am aggregating it because I find it interesting"

    I did see the other posting for Google alerts, which is a good suggestion, but the average person who had their data compromised from these dumps, is not too tech-savvy. I have now answered who knows how many email responses to my alerts. Many are thankful, some lob accusations: "he who smelt it dealt it", many returned mails, autoresponders. etc. For the companies who have responded, many have been thankful about the notification.

    So counterdump from my perspective was meant to be a service in just that sense:

    a : the work performed by one that serves <good service>
    b : help, use, benefit <glad to be of service>
    c : contribution to the welfare of others

    Whereas calling dumpmon a service is a bit confusing. Who does it help when you have re-posted someone's social security number, credit card information, home address… Everything but the kitchen sink.