Sensitive consumer data posted online (and the FTC knows who did it)

Share This Page

Here’s the story of a database of sensitive consumer information – names, addresses, phone numbers, email, and payment information – posted on a site frequented by (among others) hackers. It took just minutes before identity thieves tried to make unauthorized use of the information. But this tale of stolen credentials is full of surprises, including who posted the data.

If you’re watching the FTC’s Identity Theft: Planning for the Future webcast right now, you know that the “perpetrator” was the staff of the FTC’s Office of Technology Research & Investigation (OTech) and the information belonged to 100 fake people, but was designed to look like a filched database of consumer credentials.

OTech conducted the experiment to answer two questions: 1) When information like that is made public, does anyone use it? and 2) What can law enforcers learn by tracking what ID thieves do with data once they get their hands on it?

After creating the database, OTech posted it twice on what’s called a paste site. (That’s a site where people can paste information in plain text. There are legitimate uses, of course, but hackers have been known to use them to make stolen data available to others of their ilk.) For two weeks OTech monitored all email access attempts, payment account access attempts, attempted credit card charges, and texts and calls received by phone numbers. What did they observe?

Sharing is erring.  OTech’s first posting on April 27th got about 100 views. The second posting on May 4th got about 550 views. We think the likely reason for the uptick is that a Twitter bot disseminated the availability of the data to a wider audience.

ID thieves don’t waste time.  There’s a unit of measurement faster than the proverbial New York Minute. It’s the time it takes a data thief to exploit stolen information. After OTech’s initial posting, it took 90 minutes for the first unauthorized attempt. But after the second posting, it took just 9 minutes. The total number of attempts: 119 in the first week and 1108 in the second.

The market for stolen data is global.  IP addresses from close to 30 different countries were used in access attempts. The majority were from IP addresses in the United States. But don’t take out that “We’re #1” foam finger just yet because most of the ID thieves used technologies that hid their true IP addresses.

Data theft funds shopping sprees.  In the two weeks OTech studied, fraudsters tried to rack up $12,825.53 in illegal purchasers. Retailers were their top target. Notable purchase attempts: pizza and online dating services.

OTech’s study suggests some tips for security-conscious companies:

  1. ID thieves will exploit available information. Period. If your business needed any more reasons to Start with Security, OTech’s findings provide plenty.
  2. Paste sites seem to be favored hangouts for data thieves. Email and payment service providers may want to take a look at what’s going on at those locations.
  3. Two-factor authentication provides at least some protection against stolen credentials. Have you thought about implementing it at your company?
  4. OTech spotted a pattern of multiple purchase tries at a single site within a very short period of time. Depending on the circumstances, seriatim purchase attempts could suggest that fraud is afoot.

Watch the the event from the LIVE WEBCAST link.


Well done FTC i try keeping up with all your post on scams and hackers was glade to see some recent arrests past weeks of groups of foreign countries as here . I get grant phone calls and winner of a lottery as school loans I don't have. Great job FTC.

I think the general public should be made aware of these sites. I got a computer in 2010, this is the first time I have heard about paste sites. I think most honest people know about identity theft, hackers and what is referred to as the "dark web", as a concept, but have no idea how it all functions. Like many people I know, I do not know how to get to the " dark web". Or even know if I had stumbled on to one. I can't guard against or report something I don't know about or HOW it can damage me. I would appreciate more public education on these subjects.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.