May 25, 2015: Updated with Hacker's List reaction
In February, an Alabama woman named Terri went on a hacker-for-hire website called Hacker's List, and posted a job she needed done.
"I need to get information off an iPhone6, mainly texts (current and deleted if possible and the call log)," she wrote. "Or get into their email account … Thanks so much!"
When Terri made the request on Hacker's List, which had been written about in the New York Times the month before as a way to "get some espionage done," she probably didn't realize that the request would later be publicly associated with her name, phone number and address.
Hacker's List is like a Craigslist job board, but for hackers. Since it launched in October, thousands of people have put in requests — some of which were probably for legal hacking tasks, but many of which weren't. People who worried their significant others were cheating posted requests for a hacker to break into Facebook accounts, get Gmail passwords, and copy WhatsApp logs. Struggling students sought computer experts who could break into their schools' computer systems and change their grades. Hackers could then bid on the projects, with most going for $200 to $300. Unlike many hacking-for-hire sites, this one was not underground, on the Dark Web, only accessible by Tor. It's on the open Web, and you can sign in with your Facebook account.
After the New York Times unmasked the website founder last week — Charles Tendell, a "white hat hacker" and army vet based in Colorado — security researcher Jonathan Mayer decided to give the site a closer look. He wanted to see how a hacker economy operates, so he created a website crawler to gather data about what kind of projects were being posted and how much hackers were bidding on them. The crawl turned up something else as well though: the accounts on the site were supposedly pseudonymous, but Mayer was quickly able to link people's identities to many of the listings, including their names, email addresses, phone numbers, and Facebook profiles. Though it's not obvious to a user of the site, "there's an API for getting contact information associated with a project," explained Mayer by email. "There remains a popular misconception that the Internet is highly anonymous. It isn't."
Update: After this report, Hacker's List sent out an email, available below, to users letting them know that it was disabling its Facebook log-in. "As with any website we have places we can improve," Hacker's List founder Charles Tendell told Fusion by email. "I appreciate Mr. Mayers' work and he pointed out a place to improve on privacy and security. Since his release we have taken steps to mitigate this sort or disclosure and encourage our users to not place personal information on their posts."
Using data from the site, Mayer compiled a list, outing hundreds of people who had hoped to hire a hacker to do illegal things for them. It comprises thousands of mini dramas, where "normal people" hope a computer expert can solve their life problems or reveal the truth about people they love or work with. (If you have a paranoid partner, you might want to check the list to make sure your significant other hasn't asked a hacker to break into your accounts.)
Mayer wrote about his findings Thursday, and included a spreadsheet with the raw data from the crawl which includes over 6,000 job postings. Along with people's names and contact information, when it was available, it describes the hack they wanted done. Among them were: hack a husband's WhatsApp messages, delete a hated rival's Instagram account, and access an ex-employee's email account to see if they stole intellectual property.
I reached out to over a dozen of the people who were outed by Mayer, but only heard back from two. Both were students who had hoped to get a hacker to alter their grades. One user, who signed up as "NeedHelp" but was exposed as Steven in an email, wanted a hacker to "guarantee he'd be accepted to the university" of his choice. He said he received responses but "nothing serious." When I asked if he was surprised at being outed for using the site, he said, "I feel as exposed to doing this as you would to changing your clothes in a public dressing room… you know the risks."
Another man, who was identified as AlphaJ on the site but as Adam J. by email, says he never got a response on Hacker's List after posting that he needed a grade change for a master's program he did. "I didnt pass two classes and then the program closed," he wrote. "I need those grades to change and my gpa to go up."
I asked Adam if he realized his email address would be exposed by the site. "Not at all," he wrote back. "How would I change that?"
It's a little late now — the damage has been done for this initial wave of hacker-hirers. But we may now see a bunch of job requests flood into Hacker's List asking how to get names erased from Mayer's spreadsheet.