The Privacy, Security, and OSINT Show 273 - Credential Exposure Removal
Primer: Breached data containing login credentials are circulated all over the internet. In this episode of the OSINT show, Michael Bazzell teaches us how to find third-party services that provide this information and how to remove them from the web.
Update On Apple Devices
Last week, Paul Asadoorian came on the show and discussed Intel’s Management Engine (ME)
Viewers asked about Apple devices, which Paul was not familiar with
Some viewers wrote in their answers
Apple computers such as the MacBook Pro were made using the Apple M1 and M2 chips
The old Apple laptops used Intel-based processors that have the Intel ME on the chip. However, it uses a greatly reduced version of it that does not have remote access and network management
Apple provides firmware updates when there are major OS updates
Believes a fully patched modern Mac machine is more secure than most other options
Amazon And Ring Cameras
A story came out about Amazon, who own the ring cameras — cameras located near doorbells —is providing video and audio collected to the police without a warrant
It sounds concerning, but they have done it a total of 11 times for genuine emergencies
Plenty of articles indicated that law enforcement did it without a search warrant and user consent:
First part is true because they do not need a search warrant with exigent circumstances
When users set up their ring camera, they agree with the Terms of Service allowing Amazon access to collecting and sharing your information
“We have no right to privacy when we hand over our lives to be managed by third-party companies voluntarily. Take control of your own life.”
- Michael Bazzell
Credential Exposure Removal
Added a new guide on Credential Exposure Removal to his website
It is now a four-step process:
Requesting your data from data mining companies
Freezing your data
Removing your data
New 4th step on Credential Exposure Removal
Breached data: When a company gets hit with a breach, their database of plaintext or poorly hashed passwords is spread all over the internet
Some companies collect and sell breached data
Some people would want to have their breached data removed
His Credential Exposure Removal guide has 8 entries:
Have I Been Pwned: Check whether have you been involved in a breach. Have an opt-out page to remove yourself from the system
Dehashed: Have a do-it-yourself option to remove your entries
Leakcheck: People paying a few bucks to view your passwords from publicly available data breaches. Create a burner account to check your address. If it’s there, you can email them to remove it
PSBDMP: They scrape things like Pastebin where breached data is often exposed. Michael provides a link to his tool that searches their API for your email address. If there’s a hit, you can email them for removal
IntelX: Have an Abuse page where you put in the URLs to data breaches about yourself that you would like to be removed
HudsonRock: Looks at logger data (e.g. virus on your machine logging everything you do on it). Email them to get your information removed
When someone wants to doxx you, they pay these third-party services to view your credential information
If you take the steps to remove your credential information from the most commonly used services, you reduce your exposure/footprint
Don’t think that credential exposure removal is vital for everyone. Believes that a credit freeze is more important
Companies That Collect Breached Data
Some of these companies don’t offer their services publicly. They heavily vet their customers and limit the information available
Removal of your information from some of these services could hinder the purpose of that data (e.g. the company that monitors data breaches cannot notify your company of a potential issue because you informed them not to)
All information presented above is for educational purposes only and should not be taken as investment advice. Summaries are prepared by The Reading Ape. While reasonable efforts are made to provide accurate content, any errors in interpreting and summarizing the source material are ours alone. We disclaim any liability associated with the use of our content.