Today I accidentally uncovered a huge list of people’s names, addresses and credit card details online. No kidding.
I found more than that: login details to people’s web hosting accounts and e-commerce site memberships as well. It was really freaky to think it was all just staring at me, thanks to a flukey Google search. Nothing more complicated than that. (And no, don’t email me for the search details!)
For whatever reason, a hacker has broken into a number of sites and stored the resulting DB dumps into text files that Google came along and indexed, all because this guy’s site’s directories were set to display their contents when no default file is present.
I have emailed Victoria Police with all the details. But after thinking about it some more, I have a simple observation and a suggestion…
First the observation that if a hacker is dumb enough to have your private login or credit card details online and indexable by Google, then they’re likely to be in a text file and unencrypted. If your credit card is listed, it’s probably had the spaces removed, since that’s how it will be stored (by idiots who don’t use a salted hash).
Search Google for Your “Privates”
So here’s the suggestion: search Google for your credit card number. If something shows up go check it out. See if you also fluke a list of hacked card details with your own details there too. If you find nothing it doesn’t mean you haven’t been hacked… it just means you’re not listed online.
Now, if you have a strange and obscure password you always use (that is most likely your and yours alone), try searching for that too. Again, if it shows up in Google’s SERPs, check out the page and see what’s there.
I must say I was pretty freaked out to have discovered these credit card details online. I mean, you’d think a hacker would be smart enough to keep his stuff away from public web access and Google indexing, but perhaps not.
Crappy Coding of E-Commerce Sites
All this raises an issue that I have been long worried about… the coding and security standards of e-commerce sites out there.
How do you and I know that a given site is secure or not. Suuuuuuuure… it has HTTPS working right and the little key comes up on your browser when you get to the page asking for your credit card details. So what?!
The real worry is whether a hacker can get into the database and suck out all the customer and purchasing records. And if a programmer doesn’t know what a salted hash is (basic basic stuff), he should be shot. If a programmer doesn’t know how to code his querystrings so that SQL can’t be injected in, then he should also be shot.
This is why you SHOULD think about the e-commerce platform chosen by your chosen vendor of whatever it is you’re about to buy online. See, there are known weaknesses with various different shopping cart software platforms out there. And if someone builds one from scratch… well, you’d better hope they know what they’re doing.
If It’s Always The Same Password, One Hack Is Enough
If you’re like me, you use the same username everywhere. It’s a branding thing. I’m “alicam” (or “blogologist”) almost everywhere, unless I can’t get these, or unless I don’t want to be “me”.
If you’re NOT like me, you also use the same password everywhere. (I confess… I used to, until a few years ago when I woke up!)
Here’s the danger of using the same password everywhere: a hacker only needs to compromise any one single website to which you are subscribed as a member to get your username and password (assuming he can get past the hash or whatever obfuscation is in place). Once he’s got these, he can try these again all over the place, looking for what other sites and services you belong to. Along the way he can gather more and more information about you, in readiness for “becoming you”… called Identity Theft.
So don’t use the same password every time. Here’s a trick that may work for you: add part or all of the domain name into your password, along with the bit you usually use. So, if your password was always “fr3dd0″, make it fr3dd0-yahoo, fr3dd0-google, fr3dd0-wordpress, etc. Sure, a person could work out what you’re doing, but not a machine. And often enough the attacks are done by machine, with a person taking over once there is some success breaking in.
In my case, I had a password generator make up 16-character long unique strings (with alpha-numeric and special characters), which I use uniquely for each of the services I use. I’m not taking chances. (How I memorize them all is my secret!)
Important Tips for Your Online Security
So, to conclude, here are some simple tips to keep you safe online:
- Buy online from large, reputable suppliers only.
Ideally, choose vendors in the same “jurisdiction” as you, and vendors who also sell to you offline. - Don’t buy from ugly sites.
If the site looks really ugly and clunky on the front end, it might be coded that way on the back end too. Just walk away! - Use Paypal where you can.
It’s an eBay company and gives you a safety net for online transactions. They spend millions getting it right. - Update your passwords.
You should use really good passwords, and unique ones, for your important online services like banks, hosting suppliers, government, etc. Don’t double up on them. - Buy from countries you trust.
If sounds snobbish, but if you get in trouble with a vendor who doesn’t deliver, and he’s from a country that can’t protect you in law, you’re up the creek without a strudel. - Know about phishing.
You think you know what it means, but are you up-to-date on the latest tricks and techniques? Some of them are darned convincing. So use filters and software to help you too.
This is a quick brain-dump of my suggestions. There are more, so leave a comment for the benefit of others if you have some goodies 
Do The Right Thing!
Finally, do the right thing. If you find stuff that shouldn’t be there, tell the authorities. If you’re a Google Search Guru with all your advanced operator trickery, then it’s even more possible that you’ll come across stuff like I did… but I sure hope not.
52 Comments
you were wondering... I believe in rewarding commenters!
That’s scary stuff - just glad that it was someone like you that stumbled on the info….
That’s a bizarre find you uncovered!
In my consulting work as a programmer I’ve always been amazed at the number of sites/systems that store the password in clear text. And it’s so obvious that most people use the same password for most sites. The importance of passwords just cannot be overstressed. Thanks for the warning.
It’s something which actually has been a problem for quite some time, and it’s not just small companies affected. Big companies suffer from it as well from time to time and it’s really hard to stop. You can only hope that whatever data you input is completely encrypted, not just a password but also usernames, credit card details, address details, etcetera. It doesn’t have to be an md5 encryption since that’s a 1 way encryption, but it should at least be something so the database on itself is rendered useless.
Unfortunately though, that’s in 99.999999999% of all databases not the case.
Not just eCommerce sites like this have been targeted, but also online games have had database ripped with tens if not hundreds of thousands different user details in combination with credit card details before already and I’m sure there’d be other types of business suffering from this as well.
Hey Al
Someone hacked into a site I had done business with some time ago and stole my cc details. Unfortunately for him, I had since paid your bill for some designing work and my card bounced when he tried to use it.
So, I suppose I should thank you.
I ran across something similar last week. I search sitepoint every week for good sites to buy. A lady was advertising an ecommerce site for sale. Someone asked for proof of sale and she posted an excel spreadsheet complete with customer names, addresses, billing addresses, credit card numbers, expiration dates, and csv codes.
I wrote sitepoint and they quickly removed the details. It just goes to show you, some people may not be intentionally causing you harm , but still shouldn’t be trusted with your personal info.
This is awesome. I’ve never heard of these suggestions before, even with all the ID theft stuff floating around the ‘net these days.
Thanks!
You used to be able to run search operators (like 4500000000000000..4600000000000000) in Google to find all numbers within that range (and therefore all credit card numbers it had indexed).
I tried it yesterday and it had since been blocked.
I’d be careful about typing credit card details into Google though.
Firstly, make sure you’re logged out of your Google Accounts, or have Google’s search history recording turned off.
But even with search history turned off, I would nonetheless worry - AOL last year released a huge amount of search data (which was typed into their Google-run search engine) - and among that search data were dozens of credit cards and pieces of personally identifiable (private, sensitive) information.
Spooky article. It’s strange how Google didn’t find a way to protect or even skip those sensitive information.
Wow, amazing information that I hadn’t thought of before! I really like the tip about adding a portion of the url into the password, I’ll have to start doing that with my numerous sites I have and use.
Definately great information here! Thanks!
Hi,
Its a rich content post.I found it is very interesting and more informative.Really that tips for online security are excellent.I shared these tips with my friends and relatives.I know the danger of using the same password very well because of my own experience.But many people following the same password everywhere.you had provided a great explanations here.Thanks for your valuable information.
Thank you for that advise. Did you inform Google? I’d be interested in their response.
Regards
Peter McCartney
this is very scary indeed. Identity theft is no joke and the fact you can find this on the internet shows why you should use these precautions
Let me rush to type in my most secret passwords into Google right now!!!!
You are an idiot if you search or put your credit card numbers and passwords on google. Google == CIA and they also store everything you search and can quite easily connect the information to you and places you visit. There is no guarantee an insider will not abuse them. I am aghast at you for advising people to do this. — Can you get any more stupid? How about photocopies of your drivers licence, passport, etc. and try posting them on website to see if anybody has seen them online, eh? How about sending me your credit card information so I can see if I have happened to run accross it?
@Jan - I am advising people to test for their credit card number, yes. NOT the number PLUS the expiry date or anything like that. Heck, what’s in a number? I can create valid CC number easily if I know the checksum system… so valid credit card numbers is no big deal.
As for passwords, they mean nothing out of context. And my real point is not to use the same one everywhere anyway.
But thanks for adding to the conversation anyway
DO NOT SEARCH FOR YOUR CREDIT CARD OR NAME! The search bar is an unencrypted channel and search engines publish and has published web searches for scientific analysis.
On top of that, US govt owns the right to direct internet traffic through their servers for ’security’ purposes.
PS Alister, you just gave a dumb advice.
@Daren - Don’t you think the US government already have your CC details if they want them? Do you really think they’re waiting for you to type that stuff into Google so they can get a hold of it?! These are the same people with the satellites and all that “Enemy of the State” gadgetry right?!
It’s not a new thing that you can find many secret stuff with google search. With smart query strings you can search almost anything. I’ve made a special website for it.
Have a look at SearchHacker
http://www.searchhacker.com
Or it’s sister site to find unprotected live webcams.
http://www.camhacker.com
I would not recommend searching Google for your credit card number, passwords, or any other info that should be kept secret. Google keep their search data, plus anything you search for can be seen by anyone in a position to do so. Also many ISP’s log web traffic, and you have absolutely no idea who has access to this data or for how long it is kept.
You have been warned.
Of course, if you’re punching your credit card numbers and private passwords into Google search, you’re ALSO inputting your information into Google’s databases. Google keeps records on all searches … for years.
If you do search for your credit card details on Google and you’re logged in, be sure to clear your web history in your account. Otherwise, Google will store your searches and that’s definitely not a great idea.
@John E - agree with that. It also raises other thoughts…
I’ve heard of people storing key information in gmail “draft” emails (ones they’ll never send). Things like passwords, for example, bank account numbers. It makes it easy when you’re away from home to login to gmail and get to stuff you need for logging into less-frequently-used sites, etc.
To me this is far more scary a thing to do than what I’m proposing…
-Alister
Thanks Man. I will remember to use Google checkout or paypal wherever possible.
Good for google to have indexed those numbers or we wouldn’t have found out.
Ron
Alister,
excellent discovery. It is funny with all the different comments about not searching for your credit card number. ahh, the power of digg and all the comments it brings.
If people are too scared, then how about searching for 10 out of the 15/16 digits?
You know what your local police are going to do? Nothing. They probably don’t even understand what you found. Not long ago someone was actually forging checks in my company’s name and trying to scam people with them around the country. Yeah we called the local police. They took some information, and did nothing, because the Internet is not their jurisdiction and they’ve got better things to do.
Besides, I’d almost guarantee you that any credit card numbers you found were expired, passwords had been changed, etc. That kind of information has a very short period of validity before it’s flagged by credit card companies.
@Eli - you’re the second person to give me doubts today about what my local Police will (or won’t) do…
So I just got off the phone with the US Secret Service. I have the data for them, and (I assume) one of their IT agents will get back to me.
Which brings me to the point that it was really hard for me to work out who to call. There’s tons of info online about what to do if you think your data has been stolen, but nothing much telling you who to call if you uncover fraud, as I did.
Anyway, I’m about to go to bed, but I’ll await their call in the morning
-Alister
Are you serious? Your article really suggests that users search Google for their credit card number? Do you see the incredible problems with that?
In my opinion, your credibility as any kind of security ‘expert’ just went right out the window.
I’ll come back and look for your response to my comment.
@Cuban - You tell me what’s wrong with it. You tell me seriously what the security issues are. Unpack them. I don’t see them as clearly as obviously you do. I am keen to hear your thoughts, as are others here.
If you can make your points clear, and I see my error… I will be the first to admit it.
But all I’m getting right now it people telling me off but not *really* explaining the risks.
Note also my clarifications on previous comments as to why I don’t think there is any serious risk.
But over to you (or others similarly aghast at my suggestion).
-Alister
You seem to be suggesting that using a ’salted hash’ is a great way for a vendor to store a credit card number. It’s not. A hash is a ONE WAY operation, therefore, when Joe Vendor wants to retrieve your card number to charge it - he can’t.
Hashes are commonly used for passwords. When a user signs up, the application places the hashed password in to the database, then on subsequent logins, the application rehashes the password the user supplies and checks this against what is stored in the database. This has the benefit of never storing a decipherable password in the database - but it is no good if you actually want to retrieve the original data.
Hi Alister-
Great article, and I too am surprised at the number of people that are alarmed regarding the CC numbers. What good is a CC# without the security code and the correct name and address to go with it? If someone at Google (or even the dreaded government) fished it out of a billion search queries, how on earth would they go about finding the person’s name or all the other pertinent information? (unless of course, the person was stupid enough to type all of that info down on a web page in plain view of Google’s search bots)
Wish me luck as I try this logic out over at Digg…
@Chris - perhaps we’re getting confused on terms here… that may be my fault.
I thought “hash” just meant a standard-length obfuscated string representation of something, and that while, say, MD5 is a one-way hash, others (perhaps AES or somesuch) are not.
If hash was not the right term to use here I plead ignorance on the right term, but I think the programming principle I was making is still valid.
Thanks for that clarification.
-Alister
Putting in your CCN is a bad idea, as other people have already mentioned it can get leaked a variety of ways. You claim having just the number out in the wild isn’t a big deal because it is easy enough to generate ‘fake’ numbers using the luhn checksum. However I think that is wrong. If someone gets your name and CCN then they can fairly easily guess the expiration month by simply trying to buy a small item from amazon (or anther merchant) until it goes through. There are only 12 possible expirations a year, and only a few years a card is typically good for. Easy enough to brute force for a competent scripter. If people really want to search for this stuff, go for searching your name and last four, though I still wouldn’t do that either.
Of course, by taking this author’s advice and googling your credit card number, you are deliberately putting your credit card number into an online database - Google’s. So if you do this, be sure you trust Google, now and forever.
O, the evils you could have done.
Nice job on alerting the authorities asap - - A few dark figures may have done otherwise.
this is all conmon sense stuff that we should all know
Search google without using HTTPS is almost impossible. It is NOT a good idea to simply put your credit card into google unencrypted!
Alister,
I posted the following response to you, but I don’t see it anywhere in your comments… so here goes #2:
Alister Cameron -”- You tell me what’s wrong with it.”
Fair enough, Alister. So the reason you would never, EVER want to type your credit card number into google is:
1. You’re not on an SSL Connection - You search can be interecepted by someone as LEGIT as your ISP and as illegitimate as your neighbor 3 doors down sharing your cable network
2. Your machine could have spyware recording your searches - Even Legitimate toolbars like Yahoo and Ask.com Toolbars (Not to mention Google) record entries and send them back to the mothership. Yahoo knows what you search on google, when you’re using them. Once that happens, you’re not in control of that Data. others are. And this doesn’t even account for the countless numbers of illegitimate toolbars installed with P2P clients, Keygens, pornography, software cracks, and the like.
3. Google search data is NOT protected. If you ever stand in the Google Corporate Offices Lobby, you’ll see that google random selects and samples real-time search information, and displays this search data on two 60 in LCD’s in their corporate office. If this is going on, you have no guranantee is to who is viewing your data, period.
So those are my arguments. I trust you’ll have a fair amount of agreement?
Regards,
Cuban
Great tips. I’m amazed some sites get business looking like they do.
As you say, the SSl cert means nothing. Yet Verisign and other now sell EV SSL Certificates with the green bar…ooooo. So now e-tailers have to burn more cash so ill-informed consumers don’t panic when the green bar does not appear. It sill doesn’t mean the site/server is safe. It means the company exsists, thats all.
The cc companies answer is verified by Visa (MasterCard have one too now. How does giving the last 4 digits of your ss number and yet another password (admit it, you use the same one don’t you) make your transaction any safer?
Hi Alister! Congrats! This post is getting a lot of traffic. A lot of good insight here.
I’d recommend, though, adding a warning near your text that says “So here’s the suggestion: search Google for your credit card number. ” I agree with the comment by Cuban above about the security issues. Maybe you could move some of those risks up into the article as a fair warning?
Cheers,
Mason
“So here’s the suggestion: search Google for your credit card number.”
This has got to be the stupidest suggestion.
Typing your credit card number in cleartext in the google search box and sending across the internet. Don’t you see something wrong with that?
NEVER Google for your personal details as you are sending them over the internet in plain text!
This is extraordinarily bad advice and should be removed from the article.
Scary Scary Stuff…but why would you type your own info in for Google???
I once googled my social security number, found it, got the page taken down. Problem solved. Had I followed the advice of the paranoid folks on this page I would have not sent my social security number to google and there still would be a page with my SS number on it. People gotta weight the risks and decide which one is more dangerous– a public credit card number or the search for a credit card number.
@Matthew Martin - thank you, thank you, thank you!!!People with your experience are the very reason why I wrote this post in the first place! It sounds like a scary thing to do, to enter your personal details (or key parts of them) in to Google or any other leading SE… but for those people who DO find their private information online somewhere and can take the appropriate action to protect themselves… there is all the reason in the world to have searched in this way!Think about it, folks!-Alister
crazy stuff. thanks for bring to my attention
Hey there! Freaky article but awesome at the same time! geeee thank god i never came to the extent of purchasing online :/
Well keep up the good work on your every blogs, i try to keep myself updated, unfortunately the music industry leaves you breathless (literally) …
Regards
Billy.J
=)
Its scary how much someone can pilfer about you just by using Google really. Like you say the best method is to never do anything online but thats not really a practical answer, these e-commerce sites need to clean up their act if an internet world is ever going to be safe from credit fraud.
I already knew all these hints except of the second hint “Don’t buy from ugly sites”. it is a simple hint but that I never gave attention in this detail and to also believe that many people ignore it. Congratulations by the hints.
Great information! Thanks for pointing this out as the web has become a huge place of information, I’m sure more people are going to experience this.
Just hope my information wasn’t in there!
wow… that is some scary stuffs. thank you for the informative posts.
Great information! Thanks for saving me some time and loss of my personal finance information!
That is scary! Hopefully you didn’t find my CC info, hehe
43 Trackbacks/Pingbacks
Posted 38 years, 4 months ago
Posted 38 years, 4 months ago
Posted 38 years, 4 months ago
Posted 7 months, 1 week ago
[...] a great post on basic personal web security from “blogologist” Alister Cameron. Cameron mentions that he recently found a text [...]
Posted 7 months, 1 week ago
[...] Alistair Cameron accidentally uncovers your credit info on the web. [...]
Posted 7 months, 1 week ago
[...] Alister Cameron stole your credit card numbers!. Then he goes through some pointers on how to keep yourself secure in the online world of interweb [...]
Posted 7 months, 1 week ago
Posted 38 years, 4 months ago
Posted 38 years, 4 months ago
Posted 38 years, 4 months ago
Posted 38 years, 4 months ago
Posted 38 years, 4 months ago
Posted 38 years, 4 months ago
Posted 38 years, 4 months ago
Posted 38 years, 4 months ago
Posted 38 years, 4 months ago
Posted 38 years, 4 months ago
Posted 6 months, 2 weeks ago
Posted 6 months, 2 weeks ago
[...] October 24th, 2007 · No Comments Sa nu-ti vina sa crezi! Articol aici. [...]
Posted 6 months, 2 weeks ago
[...] Security Posted By: craigdorn Published in Security, Shopping, credit cards 24Oct Alister Cameron has posted a great article on the perils of online transactions and other security [...]
Posted 6 months, 2 weeks ago
Posted 6 months, 2 weeks ago
Posted 6 months, 2 weeks ago
Posted 6 months, 2 weeks ago
Posted 6 months, 2 weeks ago
Posted 6 months, 2 weeks ago
Posted 6 months, 2 weeks ago
Posted 6 months, 2 weeks ago
[...] The post in question was regarding Alister’s unintentional uncovering of a list of credit card numbers through Google. While I’m not terribly concerned about someone uncovering my credit card number (let’s face it, it’s hard to buy stuff on a card with no available credit), I did think about the advice he gave about searching Google for your own credit card number. [...]
Posted 6 months, 2 weeks ago
[...] [from coolkid] Did I uncover your credit card details on the web today!? [...]
Posted 38 years, 4 months ago
Posted 6 months, 2 weeks ago
Posted 38 years, 4 months ago