The ‘Mastermind’ hacker who stole 20 million user credentials from Russian dating website Topface has got an extraordinary response from his victim – an undisclosed payment for “finding” the vulnerability that led to the calamitous breach.
It’s an extraordinary turns of events that would be unthinkable in almost any other country but the site justified its decision with the argument that recovering the data would end the matter once and for all.
Recall that the hacker in question had tried to sell the stolen data on a crime forum which is where the breach was first noticed by a third party, US securty outfit Easy Solutions. Without that discovery the data would probably have been sold on without the site realising that a breach had happened in the first place.
“He [Mastermind] has confirmed the findings of our investigation and has made an agreement with Topface for no further distribution of acquired email addresses database,” the firm said in a statement.
“Due to the fact that he has not passed the data to anyone and has no intention to do so in the future, we will not accuse him, moreover, we have paid him an award for finding a vulnerability and agreed on further cooperation in the field of data security.”
The huge cache included email addresses and user names but not passwords or other account data, the statement confirmed.
“Due to the fact that we do not store any billing information of users, and authorisation of more than 95 percent of accounts are going via social networks, we are confident, that third parties could not get any additional data of users.”
Users logging in to the site using email addresses had been asked to change their passwords as a precaution.
The response leaves a number of questions lingering such as how it is certain that the data has not been passed on. Topface describes the transaction as a payment but to many others it will be viewed as a ransom of sorts. Presumably, if someone had offered a higher price, buying the data back wouldn’t have been possible.
Hackers who mine some kind of reward out of bending the rules are far from unknown. One example is George ‘Geohot’ Hotz, who in 2011 got a job at Facebook after acquiring mild notoriety for jailbreaking the iPhone in 2007 and doing the same to Sony’s PlayStation 3. However, he was not taking money after stealing data so the comparison is not a direct one.
British security expert Graham Cluley, who in the past has been critical of paying hackers for their handiwork under any circumstances, was unimpressed.
"My concern about paying hackers like this is that you're just encouraging others to illegally breach systems and pinch data," he told Techworld.
"The hacker in this case has already proven themselves to have dubious ethics by both stealing the data, and then offering it for sale online. If someone finds a weakness on a website or product the right thing to do is to tell the organisation about the flaw, and work with them to get it fixed. The wrong thing to do is to steal millions of credentials and offer them for sale," he said.
With nearly 92 million users and growing, Topface doesn't appear to have suffered any negative consequences as a result of the breach.