His job is simple: Find leaked and exposed data before the bad guys do.
NEW YORK — It’s a phone call you hope never comes in: Chris Vickery has found your company’s entire set of customer data on the
He sits at his desk, littered with external hard drives storing terabytes of data, in his home office in Santa Rosa, Calif., where
he scours the internet for data that shouldn’t be accessible — a phone number, a social security number, or credit card data —
sitting in databases that aren’t password-protected for anyone to access.
Using search engines for internet-connected devices, like Shodan, and tools that scan common ports where data typically live,
Vickery can tick off hundreds of internet addresses and their ports for leaky databases, badly configured backup drives, and other
inappropriately stored data.
It’s a race to find accidentally exposed data before the bad guys do.
But it’s a time-consuming and technical job that takes requires focus, patience, and the temperament to accept failure and to know
when to call it a day.
Like others in the security research space, it also requires working strictly ethically and within the lines of the law. When
Vickery finds an exposed database, he goes through a process of responsible disclosure — usually as simple as privately informing
the company of its mistake — in the hope that it can seal the leak before a criminal can steal the data.
Only when the data is safe does he blog about his findings so that readers can learn from others’ mistakes. “It’s kinda like a
treasure hunt,” he told me on the phone last week.
Vickery, a softly spoken southerner, isn’t driven by money or reputation — though the latter has become an occupational hazard of
Through his blog, Vickery is one of a handful of security researchers in recent years who have sparked more headlines than almost
any other person, and yet he isn’t a household name. His work has resulted in protecting the personal information and privacy of
tens of millions of people.
In the past few years, Vickery has found sensitive data from hotel chains, a massive financial crime and terrorism database,
several breaches of health data, leaked data from a dating app for HIV positive people, a publicly stored trove of voter
registrations on 93 million Mexicans, a law firm’s files that cast doubt on the official report into an inmate’s death, and an
leaky airport server that stored highly sensitive TSA files — to name just a few.
His work for the past couple of years has been associated with Kromtech, the maker of MacKeeper, a some-might-say controversial
utility software for Apple desktops that has been fraught with complaints and concerns — the company has rebuffed — in part
because of its perceived pushy advertising tactics and aggressive affiliates.
It’s fitting that it was a data breach that brought him to the company, after he found 13 million accounts in its unprotected
As of Monday, Vickery started a new full-time role at UpGuard, a cybersecurity startup, which last year raised $17 million in
financing, pinned on its core product, a cybersecurity grading system.
The Mountain View, Calif.-based company’s flagship product is a credit-style score for cybersecurity, which determines a company’s
cyber-risk factors by scanning its internal network and systems and spitting out a report on where it can improve. UpGuard also has
a free web-based tool that lets anyone run a scan on any company’s external network (such as a website and subdomains) to measure
its security posture.
The company’s co-founder and co-chief executive, Mike Baukes, said on the phone last week that Vickery’s name “kept coming up” in
the discovery of data breaches.
“Our capability isn’t just about developing products that helps fix issues that Chris finds,” said Baukes. “It’s also about
elevating these issues to the right places and raising the industry’s awareness,” he said, arguing that many cybersecurity products
have an “inability to translate the issues properly” and leave “people in the dark” about what they need to do next.
“We share a similar belief system,” said Baukes, calling Vickery’s work “deeply honorable.”
Vickery’s work began back in his native Austin, Texas while working his former day job as an IT technician at a law firm. What was
initially an academic curiosity about security and data protection slowly evolved amid greater fascination with security into a
One smaller data exposure led to another, where he later recognized during those formative early days that there were huge swathes
of data if you knew where to look.
He jumped down the rabbit hole of data breach discovery and hasn’t turned back.
Now, Vickery is seen by many — reporters and fellow security researchers alike — as the master of the internet’s lost-and-found
department. He’s driven by a desire to return this leaked and misplaced information to its rightful owner. Guided by a strict set
of mostly self-imposed moral guidelines that dictate how he works, his process from discovery to disclosure relies almost entirely
on reaching out in good faith to the unwitting companies that — often through carelessness — have leaked the information their
customers trusted them with, and he asks them to come clean.
“If the companies that I inform respond well and fix things and don’t just ignore me and think I’m trying to take advantage of them
somehow. And if they do notify the affected people, secure it quickly, and are open about it — and they’re not trying to demonize
me — that’s a good day,” he said.
“A lot of the time those elements don’t come together,” he explained.
But not everyone appreciates what he does.
Few want to be told that they have committed a fundamentally basic but catastrophic security error. All too often, though,
Vickery’s act as good samaritan is met with hostility — or worse, he’s used as a scapegoat when companies seek to shift the blame
to the work of a “hacker.”
“It’s extremely frustrating when companies don’t take responsibility for breaches,” he said. “But it’s a natural human response for
some — a knee-jerk response,” he said, to blame the person who found the data rather than their own shoddy security.
Vickery is not a hacker, but the law covering security research and breach discovery is far from simple, thanks to the old and
antiquated Computer Fraud and Abuse Act (CFAA) — persistently reamed by critics as a barrier to security research for its
overbroad terms and definitions.
The law says where hackers must gain “unauthorized access” to a server to fall foul of the law, such as using or cracking a
password that stops anyone getting in, the data that Vickery finds is never protected in the first place.
Arguably, his discoveries are no different from how ordinary internet users browse the web.
“Browsing is requesting files from a directory on a web server and displaying them onto your screen. Every time you visit Amazon,
you’re downloading files from Amazon’s servers. That’s exactly what I’m doing,” he said.
“If what I’m doing is illegal, then browsing any web page is illegal,” he said.
The CFAA has been ridiculed and scoffed at. The law, for instance, makes it illegal to share your Netflix login with someone else
— or even your social media account, effectively making any social media team of any leading brand at risk of violating federal
Congress has tried to fix the law but to no avail, and it remains a serious threat to security researchers and their work.
But just last month, Vickery was named in a lawsuit against River City Media, in which the company, accused of being a top spammer,
exposed its own systems by failing to use a password on a backup drive. The lawsuit accuses Vickery of being a “vigilante black-hat
hacker,” though no government agency has ever brought charges of their own.
“They have made up a lot of things I’m certain they can’t prove,” he said in response to the complaint. “Certain people will always
try and defer blame,” he said. “What is a profit-minded corporate guy going to do — potentially give up millions of dollars in
fines or say that this one guy hacked me? It’s a clear decision on their side. The best leaders and companies will accept
responsibility in a situation — but bad businesses, they tend to focus on ‘shooting the messenger’.”
I asked whether the lawsuit, if successful, could have a chilling effect on security research — or even for reporters, like
myself, who cover data breaches, leaks, and exposures.
“If they can make up and fabricate events and have a jury believe them — well that’s going to have a far greater effect than
chilling researchers and data breach reporting,” he said.
“That means the entire system is broken,” he added.
It doesn’t seem that Vickery will back out of this line of work anytime soon. He’s a man on a mission, and given his already hectic
work-life balance, he admits that he far exceeds the nine-to-five confines of most corporate jobs. It’s something he loves — and a
necessity for the next wave of Americans whose data he wants to try to protect.
But it’s a hostile world and he, like the rest of the security community, faces the persistent threat of undue hostility from the
corporate world, sans a landmark decision — in his words — that would change the face of computer law enforcement goes. And that
case could, if it escalates, put Vickery at the forefront of that law change — for better or for worse. It makes you wonder why
someone would put themselves in the line of legal fire.
“Somebody has to do it,” he said. “And I feel a duty to keep carry on doing what I do.”