Over the past year, there have been several data breaches and leaks which affected millions of South Africans.
Two such incidents were the “Master Deeds” leak almost a year ago, and the traffic fine payments platform database leak in May.
In both instances, database backup files had been uploaded to web severs where they could be easily downloaded by anyone who knew what to look for. No passwords or other forms of access control protected the files.
The Master Deeds database file was discovered on a web server belonging to Jigsaw Holdings.
It later emerged that the company’s live database wasn’t well secured either, and potentially exposed the records of over 75 million South Africans.
Data exposed in the leak included full names, ID numbers, addresses, employment details, contact information, and “alive” statuses.
The traffic fine payments platform database that was leaked in May belongs to ViewFines.
It contained the details of 934,000 South Africans and included names, ID numbers, cellphone numbers, email addresses, and plain-text passwords.
Have you been pwned?
Leaks such as these where data has been publicly disclosed, and is readily available online, generally get reported to a site called “Have I Been Pwned?”.
Troy Hunt operates the site, and he has earned the reputation of being the definitive source on data leaks and breaches.
A key feature of Have I Been Pwned? is its notification service, which allows you to subscribe your email addresses to a mailing list.
Should any of your email addresses appear in future data dumps, the site will notify you of the breach, along with any details about what data may have been compromised.
The site also offers a search interface where you can type in your email address to see which previous data breaches it may be contained in.
Besides the Jigsaw and ViewFines leaks, which were both added to Have I Been Pwned?, the notification service includes details on the following South African data dumps:
- eThekwini Municipality — 81,830 accounts affected, reported in September 2016.
- Ster-Kinekor — 1,619,544 accounts affected, reported in March 2017.
It is also worth noting that there have been several data dumps that were not linked to local sites that may contain South Africans’ email addresses.
Most recently, a collection of almost 42 million email address and plain-text password pairs were uploaded to Kayo.moe, a free public file-hosting service. The site’s operator contacted Hunt, who concluded that it was a credential stuffing list and uploaded the data into Have I Been Pwned?.
Has your password been pwned?
To check whether your password has been compromised in any of the breaches tracked by Have I Been Pwned?, Hunt has launched Pwned Passwords.
Pwned Passwords contains 517,238,891 real world passwords previously exposed in data breaches.
The passwords are not made available in plain-text, but are hashed using SHA–1, or NTLM.
Hunt’s Pwned Passwords page states that the previous exposure of these passwords makes them unsuitable for ongoing use, as they are at much greater risk of being used to take over other accounts.
“Attacks such as credential stuffing take advantage of reused credentials by automating login attempts against systems using known emails and password pairs,” the site states.
“Password reuse is normal. It’s extremely risky, but it’s so common because it’s easy and people aren’t aware of the potential impact.”
Have I Been Pwned? can’t tell you everything
Have I Been Pwned? is an extremely valuable service, but it does have a few (intentional) limitations.
Since it looks up information and sends notifications based on email addresses, if a database does not contain an email address for every user, you may not be notified of a leak or breach.
The Master Deeds leak was one such example.
While there were over 75 million records exposed, only 2.2 million of them had email addresses associated with them.
Some records were outdated, and many others were for newborns and children who wouldn’t realistically have any personal contact information.
However, it also stands to reason that there will be many millions of valid records that simply don’t have an email address associated with them.
Just because Have I Been Pwned? can’t find your email address in the Master Deeds leak, doesn’t mean your personal data wasn’t compromised.
Conversely, just because your email address was in the Master Deeds leak, doesn’t mean the rest of the information about you in the database is accurate.
That said, it is best to operate on the assumption that your personal information is readily available to an attacker.
Data aggregation companies and credit rating agencies collect and sell personal information to third parties, making it possible for an attacker to obtain such data entirely legally if they wanted to.
Leaks without public databases
There have been recent leaks and breaches where there were no public databases to upload to a service like Have I Been Pwned?.
Globally, there was the Cambridge Analytica scandal where a personality test developed by a third-party used the Facebook platform to harvest the personal data of 87 million Facebook accounts.
Facebook said it would contact each of the affected users to let them know what had happened.
In South Africa, Facebook wrote to the information regulator to explain that while only 13 people in South Africa installed the app, 96,121 people in the country were affected due to being friends with those who downloaded the application.
Another incident earlier this year involved a hacker or group of hackers that breached the network of Liberty Group.
Clients were notified via SMS, email, and a notice on the Liberty website about the attack.
Liberty said that the attackers compromised an email server, and that a criminal investigation is underway.