How to mitigate damage from data breaches
Open with Neovim
curl -s https://rpassos.net/articles/how-to-mitigate-damage-from-data-breaches.md | nvim -R -c "set ft=markdown"
This article will go over how to reduce the damage inflicted by a data breach by compartmentalizing data stored by servers to be exclusive and non-identifiable.
About data breaches
A data breach refers to the unintentional exposure of data stored by servers. This often involves a website leaking user data as a result of cyber criminals gaining unauthorized access.
Consequences of data breaches
From a user's perspective, this can lead to various negative consequences.
Highly sensitive data can be used to blackmail victims into paying a ransom in crypto currencies or gift cards with the threat of making the data public. The blackmail can also lead to victims being pressured into giving even more detailed information, which can be used for further blackmail against related individuals.
An example for a high-severity case is the Ashley Madison data breach, a website enabling extramarital affairs. Tory Hunt lists some "pretty crazy stuff" on his blog titled "Who Decides Who Doesn’t Deserve Privacy?".
A high severity data breach of a different kind would entail email addresses and passwords being exposed to the public. This is especially damaging in case a user has the same username and password across all accounts.
Small scale data breaches also bring negative consequences, even if they do not reach the news. For scam and phishing attacks, it is often enough to know how a contact method is associated with a certain cause. For example, it might be enough for a scammer to know that certain phone numbers or email addresses are associated with a singer's fan club in order to start a phishing campaign asking for money in exchange for a supposed exclusive concert.
On an even smaller scale, information of an email address being in use is enough for spam organizations to start sending all sorts of emails ranging from Nigerian prince scams to targeted advertisement.
Overview for solutions
Building a strong defense against data breaches has diminishing returns depending on the effort, but it is safe to say that the lion's share of problems can be resolved with just the basics.
1. Password managers
2. Two factor authentication (2FA)
3. Email aliases
4. Deleting unused accounts
Each step varies in time and effort required for set up. It is up to the individual to determine the extent to which the costs outweigh the benefits.
Password managers
A password manager is an app that creates and stores password entries for accounts. Each entry can contain additional information such as the associated email address, log-in URL, and descriptions or notes.
Beyond the most obvious benefits of using a password manager, there are many positive downstream effects; all of which will be covered in this section.
The main problem that is solved is the case where a user has the same login credentials for all accounts. This is a highly risky practice, since a single compromised account would lead all others to get breached as well. Instead, a password manager creates a long computer generated password for each account and saves it to it's database, making it as good as impossible to guess.
It is important to note that humans are inherently flawed at coming up with unique and random strings of characters that would be unpredictable to others. Remember; the password to the Louvre's video surveillance system was "Louvre".
Even outright negligence aside, a concerning number of people consider their pets name followed by the first two digits of their birthday to be a unique password.
On a broader note, a password manager offers a basic organizational overview to keep track of all active accounts, when they were created, when the password was last updated, and some more quality of life features. For example, password managers can detect login fields in browsers in order to automatically fill in the credentials using entries from the database.
Even though setting up a password manager sounds like a lot of work, it is not mandatory to do the migration at once. It is perfectly understandable to start migrating account credentials to a password manager gradually, so as to not feel overwhelming.
For what it's worth, a password manager will save time down the line, since it is able to detect login fields in browsers before automatically filling in the credentials after a single-click confirmation from the user. It also saves time from having to go through a password reset process over email in case the user forgets the password.
There are multiple options for password managers. When making a decision, two factors need to be taken into account. Firstly, how accessible and easy to use should it be and secondly, how much vendor-lock-in would be the case. Techlore privacy tools provides a list of recommended password managers.
Two factor authentication (2FA)
In cybersecurity, there is the term single point of failure (SPOF). It refers to a situation where a full compromise is at risk based on only one security mechanism failing.
For example; an account locked behind a computer generated password, which consists of forty letters and digits, would be impossible for a computer to break with today's technology. Even though that is a secure lock, If the password were to get leaked, the situation would flip upside down. Since that unbreakable password is now known, there is no defensive mechanism locking the account left.
Two factor authentication or 2FA for short solves this issue by always requiring another mechanism in order to unlock the account. This can be something like a code sent via a phone number or a link sent over email, but ideally, it should be a time-based one-time password (TOTP). Enabling TOTP usually consists of scanning a QR code using a dedicated app on a mobile phone. The app is then able to generate six-digit numbers that are replaced every thirty seconds. With this security measure, an account would not be compromised, even in case a data breach reveals the password, since a second layer of verification is required.
Similarly to when choosing a password manager, it is important to avoid vendor-lock-in solutions. Techlore privacy tools provides a list of recommended 2FA applications.
Email aliases
An email aliasing system provides the most benefits across the board, but it takes a lot of effort to set-up and requires regular maintanance.
As explained previously, using unique passwords for each account prevents data breaches from dealing blast damage; other accounts would not be compromised. However, Unless an email aliasing systeme is in place, all accounts would still share the same few (or single one) email address. This system required a password manager to already be in place, or else it would be difficult to keep track of all account credentials.
A user who receives spam and phishing attacks to their address would not be able to do anything about it. Afterall, there is no way to track down where the data leak happened. On the other hand, if all email addresses given out by a user to websites are unique, it's easy to pin down which site leaked the address, or worse, sold the contact information to advertisers.
An email aliasing system also provides privacy benefits. It would be substantially more difficult to identify a user's identity based on their email alone, if the address in question is just a dispoable alias.
The privacy guides organization provides a email aliasing services.
Deleting unused accounts
Registering an account means creating another point of failure for data to be leaked.
Everything uploaded to the internet says on the internet, and that's a rule to live by. In the first place, the best solution is to avoid register accounts on websites whenever possible, but for those unavoidable cases, it is recommended to get rid of the accounts as soon as they are no longer of any use.
Rquesting account deletions is a tiresome prosses that is almost impossible to automate. Websites make data deletion requests of any kind tiresome by design. Oftentimes, deleting an account via a website's account menu does not mean that all associated data will be deletead as well. A good example would be openai, where deleting an account does not mean that chats and conversations are deleted as well.
In some situations, websites do not offer proper account deletion menus at all, which goes against the right to be forgotten, granted by the General data protection regulation (GDPR). In these cases it is necessary to send in an email to support like in the following example:
Dear support team,
I hereby request the deletion of my account associated with this email address, as well as all of its associtated data to be deleted according to the EU-GDPR.
Regards,
a user
Responses could include intsructions to delete the account via the website, requests for additional information before the deletion is initiated, or a confirmation request that explains what it means for an account to be deleted before proceeding. All of these are tiresome to deal with and can not be easily automated, since many require manual responses on a case-by-case basis.
Depending on the number of accounts to be deleted, it might be faster to send only emails to support; regardless if the website offers a way to delete the account via a menu.
Even more exhausing is the process of finding out which accounts exist before attempting to get rid of them. The most consistent way is to check the email inbox. Most likely, an email was sent out by the website to confirm the email address before the account is validated. Similiarly there might be formal emails welcoming account holders to the platform they just registered at. All of thesese emails can be searched for in order to create a list of accounts that exist and eventually need to be deleted. Again, a password manager is very helpful for keeping track of existing accounts.
In the case of Google, Apple, and services like Github; some accounts may be tied to open authorization (OAuth), in which case, it is very easy to delete any amount of accounts. Simply put, OAuth is the Login With option offered by many websites for some of the aformentioned examples. In those cases, it is very simple to find a list of accounts created via OAuth, but the exact steps vary between providers and can be found at their respective support pages.
Revoking OAuth for an account does not mean the website in question deletes the users data. Understanding what OAuth withdrawal means comes down to what it provides in the first place. For example, when using Google to login to a service, Google acts as an identity provider that allows the website to access information such as Name, E-Mail, and perhaps other google services. Revoking this access invalidates all active tokens so that the website in question is no longer able to access the data. What it does not mean, is that the website loses data stored by themselves.
To be even more specific; a website might offer a streaming service with the option to login using various OAuth providers. Once the access is revoked, the website would still have data on how the service was used, such as preferences, interests, and user behavior.
To summarize; OAuth simplifies the process of hunting down existing accounts, but revoking access would not result in any data deletion. For a full account removal, following the previously described steps would be necessary before revoking the OAuth tokens.
Summary
In conclusion, implementing the ideal account management system takes a lot of work, but most of the benefits come from easily implemented solutions.
1. Password managers
2. Two factor authentication (2FA)
3. Email aliases
4. Deleting unused accounts
The steps are ordered by effort required and benefits gained.