Ask HN: Is it ethical to make use of a public dump of hacked data?

1 points by isitethicalanon ↗ HN
I have a list of emails, and from that, I'd like to map them to corresponding user accounts on a public site. This mapping is possible if I make use of a data from a hacked data dump.

Is doing so ethical?

I don't personally mind, since my attitude is that so many people are already doing this and the cat is basically out of the bag. In my mind, what matters moreso is whether the use of the data is harmful or not. But I want to tread lightly, as I don't want to assume that others share my same ethical assumptions.

8 comments

[ 5.1 ms ] story [ 30.4 ms ] thread
It's likely unethical by most people's standards and illegal in many countries

> I don't personally mind, since my attitude is that so many people are already doing this

There's a common idiom about people jumping off of bridges that applies equally well to committing crime or being unethical

Do you want to be an unethical person or break the law?

Indeed, your point is well taken.

More specifically, what I mean is that I don't personally mind bc my attitude is that so much of my data is already out in the ether, that it's a non-issue at this point. I assume hundreds/thousands of companies already have my data and it's generally fine, so I wouldn't personally care.

But I don't want to assume that my own perspective is the common one, so I'm attempting to level set against others, as I'd like to act in an ethical manner.

Use the golden rule: would you mind if somebody did that to you, one of your relatives, friends, son, daughter?
In this case I would not, but that's why I'm asking :)

My mindset is that so much information is already out there that it doesn't matter, but I'm hesitant to use that as my rubric.

No, it's not ethical in any framework I am aware of to knowingly benefit from the fruits of theft.

That said, ethics isn't boolean, and it's not as if you're murdering children by making use of this data...

I think this is a good reason not do to so. Regardless of my personal feelings, benefiting from theft is a good "line in the sand". Thanks for helping to provide some moral clarity here.
Thanks to the folks who commented. They were all pretty strongly in the camp that it is unethical, and I'm inclined to agree with their arguments.
That probably depends on what you are doing with it, and how the results can be used. Note "can be" and not "expected to be."

For example, haveibeenpwned uses "hacked data dumps" for their service, and uses it in an ethical way. Of course you don't enter your password - just the associated account user name, to see if it shows up in the database. I don't know however, if they have a way to tell if the password has been changed, thus killing any possibility of telling if the account has been pwned more than once.

The Credit Card Cop site used to as well. But in their case, I always questioned the ethics of teaching people it's okay to enter their full credit card numbers to a site they've otherwise not done business with, to see if they've already been collected once... how does the user know they didn't just fall for a scam to collect their credit card numbers?

I met the owner (Dan something) at an infosec tradeshow once. I think his heart was in the right place, but he thought I was overthinking my concerns, and my idea of at least using hashes of the stolen card numbers, compared to hashed input was overkill. I'm pretty sure that database was illegal, and if there was ever an intrusion, no insurance company in the world would cover his liability on that one.

The service doesn't exist anymore, and their site is ironically now owned by what definitely looks like a credit scam. The site content (complete with typo in the name) has Lorem Ipsum text throughout, something about buying humorous Lorem Ipsum, etc. And confusingly, some text about a fake Photoshop plugin called Focus. It's literally the most baffling fake site I've ever seen.

Further, there are legal implications, given GDRP and similar rules. I personally wouldn't do what you're suggesting, but maybe if you spoke to a business lawyer you'll head off in a wholly appropriate direction with a clear benefit to those whose data you are using.