When the since-suspended Twitter account started posting an Advent calendar of data leaks of hundreds of German politicians and media personalities last month, few noticed at first. But after the private profile was made public last week and went mainstream, German police were pleasingly efficient in tracking down a suspect.
The suspect has German citizenship, no job and lives with his parents in the central state of Hesse. At a news conference today, prosecutors and federal police said they believe he was working alone and that he had no strong political motives or ties to foreign intelligence agencies. What he did have was a lot of time and a general frustration with the people he doxxed.
Initial news reports blew up the incident as a “cyberattack on Germany” (looking at you, Bild), but this is much more accurately described as doxxing, the practice of squirreling out targeted people’s personal information and posting it on the internet. Some of the leaked data was already public, the federal police said, but the perp used “sophisticated” methods to collect the rest of it.
The affair has inspired Interior Minister Horst Seehofer to propose a new IT security law: Perhaps the Federal Office for IT Security could help identify compromised accounts faster or there could be EU-wide certificates to denote secure devices. Green Party co-leader Robert Habeck announced he was quitting social media altogether.
I have to step in here: This wasn’t some highly refined attack on the Bundestag’s intranet or a Trojan horse snuck onto prominent people’s smartphones. This was likely a guy with time on his hands targeting people who had simply undersecured their social network and email accounts.
Celebrities are just like us, so it’s likely that some of the people targeted used less-than-complicated passwords on their accounts and didn’t use two-factor authorization, which makes it more difficult for someone to break into online accounts. And once a hacker is in one email account or social network, it opens up a world of possibilities: He can use it to reset other accounts’ passwords or scrape contact lists. If the target reuses the same password across all their accounts, even better. Child’s play, really.
The idea that the federal police should hire the hacker, a proposition raised during the press conference, is laughable. By that measure, every jerk who doxxes someone on Reddit should be swimming in job offers.
The data dump, which includes substantial amounts of personal data for just 50 of the targets, does not indicate we’re dealing with a Wunderkind. (Though because he’s under 21, he may be tried in a youth court.) Rather than writing new IT security laws, Germany perhaps should focus instead on teaching its citizens basic internet security skills.
Grace Dobush is an editor with Handelsblatt Today in Berlin. To contact the author: [email protected]