Over the weekend, a Have I Been Pwned (HIBP) subscriber contacted me after they found their Spotify credentials online. It turns out that this particular woman went searching for her specific password after finding “some guy listening to Mexican music from a foreign device on my acct”. In the search results, she found a site hosted on Google’s Blogger service with troves and troves of Spotify credentials, among others. Now I’ve seen a lot of lists of “hacked Spotify accounts” in the past and to date, they’ve always been collated as a result of credential stuffing as opposed to Spotify themselves having been breached. She pointed me to the site with the (obfuscated) content you see below and I now had a decision to make: do I add this to HIBP as a paste?
Let me scroll back a bit for context – I introduced the paste service to HIBP almost 3 years ago and for the most part, it runs as an entirely autonomous service. It monitors various sources for the appearance of email addresses likely to be related to data breaches, loads them in then notifies people as required whilst also making them searchable via the home page. There’s also the ability for me to manually load in any specific URL from any other site that might be hosting such data. However, the vast majority of these pastes were publicly visible on Pastebin and as such, I originally made the most recent ones visible on HIBP too:
Increasingly, this feature has concerned me. Yes, the data was already out there and easily accessible on the clear web, but the paste service was making the data even more accessible. It was that age old trade-off of how discoverable do I make data breaches whilst also being conscious of the potential impact on those caught up in them (incidentally, I presently have a much longer piece specifically on this in draft).
Fast forward to last weekend and the woman who contacted me was saying “I searched in HIBP for my email and couldn’t find myself listed on that page”. So I had a conundrum: I could manually load that URL (and others on the site in question), which would notify her and any other HIBP subscribers, but that would also then list the incident in a way that anyone browsing HIBP could then discover the trove of credentials. Unlike the automated aggregation of data from Pastebin which required no human interaction on my part, loading this would be a conscious act and I knew these credentials were legit. I just wasn’t comfortable putting a link on HIBP directly to this so I removed the pastes listing page altogether.
This wasn’t a snap decision, rather something I’d been pondering for quite some time and the incident above simply provided the catalyst to finally do it. I’d been increasingly worried that this resource was being used for nefarious reasons and as if to demonstrate precisely the point, within hours of me removing it I received a comment on my last weekly update post:
where did latest pastes go?
As you’ll see in the thread there, I prompted the individual for some info on how they were using the pastes page and discussion ensued. I was interested in their use case so I probed for more info to which the answers were “grey hat” at best but I suspect the reality erred much more towards the darker side of that. The fact that they left a Disqus comment whilst connected via Tor and using an account with a de-identified alias on a Russian email service speaks volumes as to the likely legitimacy of what they were doing with the data (a huge amount of past malicious traffic has originated from Russian and other Eastern European IP addresses).
All this changes functionally is that the page that previously existed at haveibeenpwned.com/Pastes/Latest is gone and I’ve ceased updating the RSS feed (I’ll permanently decommission it a little later, I just didn’t want to break any dependencies on it without first writing about it). Everything else remains the same: pastes still load and notifications are still sent and yes, those notifications do indeed have a link through to the paste itself, but rather than this being visible to everyone, it’s now only seen by people who actually have their email address in there.
Removing the listing of pastes removes the main reason I didn’t load all sorts of other data sources into HIBP in the past. Keeping in mind this has no bearing on how I handle data breaches (pastes usually range from dozens to thousands of addresses and I never verify their accuracy), this move gives me more options to load data in other ways and frankly, it doesn’t take anything of any (legitimate) value away from the service.
And as for the site with all the Spotify credentials, I urged the woman who brought it to my attention to submit an abuse report to Blogger. She did this and they responded as follows:
Now I’m sure there are “reasons” why their policies are as they are and maybe it’d take Spotify themselves to lodge an abuse report here, but this sucks. If you’re reading this and you’re from either Google or Spotify and would like to get this cleaned up, contact me and I’ll pass on the relevant info. In the meantime, at least HIBP subscribers can now see what data of theirs is floating around on this site.