BreachDirectory, Security, WAF

BreachDirectory has passed the 5 Billion record mark – here’s what it means

When I first began creating BreachDirectory, I thought I’d see at most a hundred million records. Okay, maybe half a billion. But this, this is something else altogether..

Today, BreachDirectory has passed the 5 billion record mark. I’m not sure whether this is a celebratory occasion though, because five billion – billion – people having their data compromised in one way or another is never a good thing. But hey, that is the reality of the web today. Data breaches are rampant and they occur on a daily basis – this should come as no surprise.

What I want to do in this blog post is to cover where BreachDirectory is heading next and perhaps answer some of the questions that may have risen.

Transparency and ethics

One of the first things that comes up when services related to data breaches are talked about is the ethics. Don’t get what I mean? Take a look at how it ended with the now-defunct LeakedSource – I will wait. Unlike similar services, BreachDirectory does not make sensitive data available to anyone. I also never pay for data breaches, as I feel that it only incentivizes criminals and does not help data breach victims in any way. It may be that BreachDirectory eventually turns into a data breach search engine, but if such a feature would be introduced, it would be designed in such a way to prevent abuse.

As far as ethics of such a service are concerned, I get that data breaches are never a good thing – educating the public about the breadth of them is very, very important though. BreachDirectory stands as far at the white end of the scale as I could possibly position it and I am trying my best to keep it that way. The service is run openly, transparently and honestly, and I think it’s the right way to operate such a service.

Doing good things with breach data

Data breaches are not a good thing, but they happen. Data is leaked online, and as much as there are ways to utilize the data for evil purposes, there are ways to use breached data for good too – for example, in 2013, Facebook sent messages to users whose information appeared in the Adobe breach, Amazon sent notifications when they found a data breach containing the credentials of one of their customers, etc.

Refining the firewall

I’ve wanted to refine the WAF that protects BreachDirectory and this blog for some time now – the main thing I want to do is to implement automatic banning when certain amount of rules are triggered in a certain amount of time and to create a panel to easily add and remove threat detection rules. I have a few other things in mind too which I will hopefully write about here in the near future.

Where to now?

There’s a huge amount of hacked data floating around the web – that means the record count is only going to increase. To what point? Hard to tell: the data breach landscape is changing very, very quickly.

The best possible future for BreachDirectory would be that data stopped flowing into it, but as far as I can see, this isn’t going to happen anytime soon. This is both good and bad – by importing more data into the service I will be able to make more people realize that using the same password all over the place is stupid and will lead to them getting their information stolen and try to make companies that are less security-conscious realize that security is something should be taken seriously.