A spate of groups and individuals have claimed that data obtained from the Office of Personnel Management (OPM) hack is available for sale on the dark web. This is despite flimsy, or sometimes no evidence being presented—and even one of the organisations has admitted that it had no way of verifying the data that they found.
On Tuesday the International Business Times picked up on a report, claiming that "some of the information taken in the [OPM] breach might be for sale on criminal dark net websites like Agora, Alpha Bay and Nucleus." IBT did not provide any additional reporting or corroboration in its article.
Instead, it just repeated findings that were cobbled together by Vocativ over two weeks ago. In that article, Vocativ pointed out that the personal information of US citizens, such as Social Security numbers, phone numbers, addresses, dates of birth and ethnicities was being sold on the dark web. That is nothing new—the dark web marketplaces are a space ripe for exchanging stolen data, and have been doing so for years.
Vocativ then made the extraordinary leap that the data may belong to the OPM hack, because some of the sellers had advertised that they had access to a new database, and had added "updated 4.22," on their item listings. This, Vocativ said, "could be a veiled reference to the 4.2 million people that the government said were impacted by the breach."
Vocativ did not entertain the much more likely possibility that "updated 4.22" simply referred to the date that the listing may have been updated on: April 22nd. And besides, the listing in question is for stolen credit card data—something that probably wasn't part of the government's database on its employees.
But it's not just media companies that claim they've found the data being traded online. Earlier this month, Chris Roberts, the CTO of security company One World Labs, told Fox News that he had found remnants of the OPM hack on the dark web.
"The recent OPM breach was identified, noted and the credentials and identities have been discovered online and are being traded actively," he told Fox News.
When asked to confirm whether the company did indeed find that data, "Yes we did," One World Lab's CEO Mark Turnage told Motherboard in a phone interview. "Chris found that data."
Turnage disagreed about the specifics, however: "It's not my impression that it was offered for sale. I think it was archived somewhere on the dark net."
Despite his colleague's insistence to Fox that the data was legitimate, Turnage said that Roberts had not verified the apparent OPM data.
"He did not. There's no way for him to verify that data is real," Turnage said.
When asked on Twitter where he found the data, Roberts refused to provide an answer, and then claimed in private messages with this reporter that the "Feds requested data and then have said stfu on it...so have had to oblige."
This didn't stop Fox from reporting the revelations, and the journalist behind that story seemingly didn't attempt to corroborate it either. "I can only tell you that Mr. Roberts and his senior threat intelligence officer at OWL, who I believe have strong credentials regarding this area, told me that the material surfacing on the darknet was a product of the federal data breach," Fox News' Malia Zimmerman told Motherboard in an email.
But people have actually been advertising what they claim is the OPM data on the dark web. Over on the Hell forum, a hacker was peddling what they said was email credentials from the agency. Motherboard obtained a sample of the data, and although it was likely from a US government breach, there was no evidence that it was in fact from the OPM. Shortly after, security journalist Brian Krebs pinned down the credentials to a hack of the Federal Prison Industries website, and not the OPM.
Although it makes a great headline, good PR for a company, or perhaps an easy way to fool some naïve hackers out of their Bitcoin, there is absolutely no evidence that the OPM data is for sale on the dark web.