An interesting bit of news has recently come out of Russia, where the popular dating site “Topface” agreed to pay an attacker an unspecified amount of money to prevent them from selling a list of 20 million email addresses that had been stolen from their servers. Topface Chief Executive Dmitry Filatov was quoted as saying his company had, “paid him an award for finding a vulnerability and agreed on further cooperation in the field of data security”, but those in the security industry see it for what it really is: ransom.
Calling this transaction anything other than an act of extortion is a dangerous precedent to set, and if condoned by the media, may end up causing headaches for other companies down the line.
On the surface, it seems straightforward enough: the attacker, known as “Mastermind”, made off with 20 million customer email addresses and was attempting to sell them online, and Topface took him up on the offer and bought the email addresses themselves to prevent them from being released. Presumably the details on the attack would also be disclosed so Topface could plug up whatever leak let Mastermind make off with the data in the first place, which is likely what was meant by “further cooperation in the field of security.” The deal seems to be of questionable wisdom, but otherwise logical.
But the story immediately sounds odd to anyone with experience in the security field. Email addresses, without context or additional data, aren’t worth a whole lot. The spam email industry is proof of just how common lists of millions of email addresses are; you don’t need to break into a company’s server to steal a list of email addresses, you can get those anywhere. So why pay Mastermind for something that didn’t have much street value to begin with?
It seems likely there was more information at stake than what Topface is claiming, such as personal information or passwords. It could be that Topface is attempting to downplay the severity of the breach by saying only email addresses were compromised. Or perhaps what Topface was really purchasing wasn’t the data itself, but the information required to fix the initial vulnerability and potential backdoor from Mastermind’s attack. It may even be that there are some addresses on that list which wouldn’t go over well if the public saw them, such as those of politicians.
It’s a facet of this story that we’ll likely never know, as there’s no reason for either party to spill the beans. But it would be nice to hear just what was so important that Topface was willing to make such a bold public move.
In the end, the details of the attack and subsequent deal are moot. The real story here is the precedent that Topface has set for attackers looking to make a quick buck. Why disclose a vulnerability through the proper channels when you can just steal some data from the target and sell it back to them later? If one company is willing to suffer the slings and arrows of the tech media to get their data back, so will others.
While bug bounties are a popular and increasingly common way to get your systems or code tested, there is an extremely important distinction between offering up a reward for penetrating your system and asking a company to pay you so you don’t reveal the data you’ve already stolen. Topface calling the money they paid Mastermind a “reward” is a simple gesture that makes them look better, but at the same time endangers the security industry as a whole.