Ask HN: Is it ethical to make use of a public dump of hacked data?
I have a list of emails, and from that, I'd like to map them to corresponding user accounts on a public site. This mapping is possible if I make use of a data from a hacked data dump.
Is doing so ethical?
I don't personally mind, since my attitude is that so many people are already doing this and the cat is basically out of the bag. In my mind, what matters moreso is whether the use of the data is harmful or not. But I want to tread lightly, as I don't want to assume that others share my same ethical assumptions.
8 comments
[ 5.1 ms ] story [ 30.4 ms ] thread> I don't personally mind, since my attitude is that so many people are already doing this
There's a common idiom about people jumping off of bridges that applies equally well to committing crime or being unethical
Do you want to be an unethical person or break the law?
More specifically, what I mean is that I don't personally mind bc my attitude is that so much of my data is already out in the ether, that it's a non-issue at this point. I assume hundreds/thousands of companies already have my data and it's generally fine, so I wouldn't personally care.
But I don't want to assume that my own perspective is the common one, so I'm attempting to level set against others, as I'd like to act in an ethical manner.
My mindset is that so much information is already out there that it doesn't matter, but I'm hesitant to use that as my rubric.
That said, ethics isn't boolean, and it's not as if you're murdering children by making use of this data...
For example, haveibeenpwned uses "hacked data dumps" for their service, and uses it in an ethical way. Of course you don't enter your password - just the associated account user name, to see if it shows up in the database. I don't know however, if they have a way to tell if the password has been changed, thus killing any possibility of telling if the account has been pwned more than once.
The Credit Card Cop site used to as well. But in their case, I always questioned the ethics of teaching people it's okay to enter their full credit card numbers to a site they've otherwise not done business with, to see if they've already been collected once... how does the user know they didn't just fall for a scam to collect their credit card numbers?
I met the owner (Dan something) at an infosec tradeshow once. I think his heart was in the right place, but he thought I was overthinking my concerns, and my idea of at least using hashes of the stolen card numbers, compared to hashed input was overkill. I'm pretty sure that database was illegal, and if there was ever an intrusion, no insurance company in the world would cover his liability on that one.
The service doesn't exist anymore, and their site is ironically now owned by what definitely looks like a credit scam. The site content (complete with typo in the name) has Lorem Ipsum text throughout, something about buying humorous Lorem Ipsum, etc. And confusingly, some text about a fake Photoshop plugin called Focus. It's literally the most baffling fake site I've ever seen.
Further, there are legal implications, given GDRP and similar rules. I personally wouldn't do what you're suggesting, but maybe if you spoke to a business lawyer you'll head off in a wholly appropriate direction with a clear benefit to those whose data you are using.