A robust and often unseen economy, operating within the recesses of the internet, is continuously fueled by the theft of personal and corporate information. As detailed in WIRED's Incognito Mode, data breaches are common, leading to the compromise of corporate secrets, credit card numbers, email passwords, medical information, and even simple credentials like a Netflix login. The ultimate fate of this data is determined by the identity of the attacker, generally categorized into state-sponsored hackers, activists, and criminal hackers.
State-sponsored hackers, often referred to as advanced persistent threats, primarily engage in espionage or blackmail that benefits the state sponsoring them. When these groups are involved, the data frequently vanishes into a "black box," making it extremely difficult to track its disposition. A classic example is the massive Equifax breach, where data belonging to tens of millions of people was stolen but has never surfaced online. Conversely, some state-sponsored actions are designed to cause chaos, such as the Russian hack of the Democratic National Committee (DNC) emails, which a U.S. government investigation found was intended to release data and disrupt the political system. Activist hackers aim to embarrass, shame, or cause problems for organizations they oppose, such as police departments or weapons manufacturers. These hackers, including notorious groups like Anonymous, often steal data and then share it directly with journalists or post it online themselves, as seen when Russian government and military records were dumped onto the internet.
The type of hack that most commonly leads to individuals seeing their information exposed is carried out by criminal hackers. These groups are largely indiscriminate, targeting any system to steal data for monetization. Their two primary methods of profit are ransomware and the direct sale of stolen data. Ransomware involves infecting a system to steal data and encrypting the system to render it unusable. Targeted entities are often those that require continuous function, like hospitals or government organizations. Hackers threaten to leak the sensitive data unless a large ransom, sometimes hundreds of Bitcoins, is paid. Experts strongly advise against paying ransoms because it encourages further attacks. This advice was tragically illustrated by the 2024 Change Healthcare attack, where the company paid approximately $22 million (350 Bitcoin) only to have a second hacker group obtain and post the data online regardless.
Related article - Uphorial Shopify
The second key method is the direct sale of data, creating a "massive underground economy" known as the hacked data pipeline. Newly stolen information first undergoes a "wholesale distribution step" in private groups, hacker networks, and forums, where it is sold quickly and in bulk to trusted sources. From there, the data filters down to dark web marketplaces. Accessing these anonymous markets requires a special Tor browser. Here, stolen data is traded alongside drugs and counterfeit items. Market prices can be surprisingly cheap: a Netflix login might sell for as little as $10, and credit card details with a $5,000 balance can cost around $110. Higher-value data, like corporate secrets, is often auctioned off. These markets frequently rely on cryptocurrency for transactions to ensure traceability is difficult, and they are often controlled by groups based in areas like Eastern Europe, Russia, or China, which lack extradition treaties with the United States.
The range of stolen data is vast, categorized into about 150 classes. The most prevalent types are email addresses and passwords. Other highly sensitive classes include government-issued IDs (passports, driver's licenses) and deeply personal health data. Troy Hunt, founder of the breach monitoring tool noted that the forums where this data is exchanged look just like regular internet forums, but the users are "talking about crimes and exchanging personal data for their own benefit".
Stolen information is rapidly leveraged for purposes including identity theft, medical fraud, tax fraud, and credential stuffing. Credential stuffing exploits the common practice of password reuse across multiple sites, allowing criminals to take over accounts even if they only have one compromised login. Even basic information like a name, email address, and phone number can be used for phishing attacks or to target individuals with scams. Data is often sold and resold multiple times before the victim is even aware it was stolen.
Over the past decade, password protection has improved in large organizations, but the sheer volume of breaches persists. Hunt observed that consumers are developing "a little bit of apathy," a sense of "data breach fatigue," until they experience a tangible impact like losing money. Organizations, conversely, are becoming "increasingly standoffish" regarding disclosures, often relying on their legal right not to disclose breaches to individuals, primarily out of fear of triggering class-action lawsuits.
Individuals can take several steps to mitigate their risk. If notified of a breach, changing the password immediately and using a password manager to create unique passwords for11], but the sheer volume of breaches persists. Hunt observed that consumers are developing "a little bit of apathy," a sense of "data breach fatigue," until they experience a tangible impact like losing money. Organizations, conversely, are becoming "increasingly standoffish" regarding disclosures, often relying on their legal right not to disclose breaches to individuals, primarily out of fear of triggering class-action lawsuits.
Individuals can take several steps to mitigate their risk. If notified of a breach, changing the password immediately and using a password manager to create unique passwords for every service is essential. If highly personal financial information is compromised, freezing credit and utilizing credit monitoring services are key steps to prevent financial fraud. Furthermore, using multifactor authentication (MFA) is critical, preferably via trusted tools like Google Authenticator or a YubiKey, and avoiding SMS-based MFA. Finally, users should aim to use apps and websites from companies with a strong security track record to reduce the chance of initial data theft.
