Data breach monitoring sites, however, are stepping in and alerting the media about alleged breaches -- some of which weren’t fully known.
“There have been some cases of websites straight up denying that they have been breached, when it is clear that they have,” said Keen. Other websites may notify the public, he said, but by then it can be too late.
Almost every day, Vigilante.pw is collecting new stolen databases, sometimes even from hackers wanting to publicly shame a website for being breached. “The problem is that we add so much data that it doesn't really garner enough attention unless we contact journalists,” Keen said.
A double-edged sword?
Raising awareness is one thing, but other sites, including Leakbase and LeakedSource, are trying to make a business out of breach monitoring. Both go beyond listing data breaches and offer a paid, searchable database of all the accounts they have on file. That can include information such as passwords.
LeakedSource said the paid services can help businesses detect which of their users have been exposed in past beaches.
“These people aren't abusing our services," LeakedSource said. "We are actively turning away people offering money because we couldn't verify what they were going to be using our services for.”
LeakedSource's website also says that all the information it has found is already online in some form and freely available.
Not everyone agrees with making the stolen data so accessible, especially if the motive is making money.
“Where would you draw the line about bringing breaches to light?” Kali asked.
Although it's important to warn the public, she fears that posting too many details about data breaches, especially those of private services, can tip off hackers about where to strike next.
"That's why I think it's wrong," she said.
Sign up for Computerworld eNewsletters.