One Massive Hack Last Year - Nobody Noticed!


The MD5 message-digest algorithm is a widely used cryptographic hash function

Hackers last year quietly stole a database containing the details of over 57 million people. The breach has only come to light this week, after the stolen data was put up for sale on the dark web.

The breach data contains data spanning three years between 2012 and 2015, including usernames, email addresses, and passwords that were hashed with the MD5 algorithm, which nowadays is easy to crack. Many cell phone numbers and Facebook usernames are also in the cache.

Many of the email addresses in the leaked database are associated with major companies, like Apple, Twitter, and Google, as well as Western government departments and agencies. It comes just a day after a similar, yet unrelated breach of user data.

A grey-hat hacker, who goes by the name Peace, obtained a copy of the stolen data from Russian hackers, and provided a number of files containing the breached data to ZDNet earlier this week. Security expert Troy Hunt, who runs breach notification site Have I Been Pwned, helped analyze and verify the data. Hunt found over 52.5 million unique emails in the cache, suggesting the vast majority of data has not been previously leaked.

But here's the twist: nobody can say for sure where the data came from.

Peace said in an encrypted chat that the data was stolen from a well-known dating site, Zoosk, which has more than 33 million users, by allegedly exploiting vulnerabilities in the website's outdated software. The hacker declined to give specific details. Peace then put the breached database, about 4.6 gigabytes in size, up for sale on a dark web marketplace for 0.8 bitcoins, which at the time of posting was about $400 per download.

Zoosk denied that it had been hacked after examining a sample of the cache, citing inconsistencies in the data. "None of the full user records in the sample data set was a direct match to a Zoosk user," a spokesperson said in an emailed statement.

Although a fraction of the email addresses in the sample matched Zoosk accounts, the spokesperson said that this was likely attributable to using the same email on different sites, which many do.

Hunt reached out to some who were named in the breach. Several users were able to confirm that the email address they used on Zoosk roughly matched up to the date they registered, but others vehemently denied altogether that they had used the site.

Rasmus Poulsen, whose email address and password was found in the breach, said he "wasn't as shocked" as he thought he would be, he said in an email. "Luckily I'm in the process of implementing LastPass on all sites and services that I use, so the security impact isn't as bad as it could be," he added.  Like others, he used the same email address for different services, including Badoo, he said.

He confirmed that while he had previously signed up to Zoosk, it wasn't with the email address used in the breach. "It would have come from Badoo and not Zoosk," he said.

Badoo, headquartered in London, UK, stands as one of the largest dating websites in the world with more than 300 million users signed up to date. A spokesperson for Badoo denied that it had been hacked. "Badoo has not been hacked and our user records [and] accounts are secure. We monitor our security constantly and take extreme measures to protect our user base. We were made aware of an alleged data breach, which upon a thorough investigation into our system, we can confirm did not take place," said a spokesperson.

According to Hunt's data analysis, there are about 88,000 emails containing "badoo.com." When we examined further, many of these appeared to be internal corporate accounts used for testing purposes. Many of these accounts had the same or similar passwords.

In an email, Badoo founder Andrey Andreev confirmed the existence of about 19,000 test email accounts in the stolen database. He said the company will "use these [accounts] to test our competitors' products as well."

"Any Badoo test accounts expire after a maximum of 30 minutes and they cannot be accessed externally," said Andreev. When pressed, he would not say which services these accounts were registered with because Badoo does "not store the details as they are removed so quickly."

Many thousands of other Badoo email accounts in the database appeared at "@mobile.badoo.com." These accounts are associated with those who sign up with their cell number, which is turned into an internal Badoo email address. Andreev confirmed in a follow-up email that this is how Badoo stores users' cell numbers when they sign up.

But neither Andreev or a Badoo spokesperson could not say how or why this data was part of the stolen database, but maintained that it had not been hacked. "We have over 30 million phone registrations out of our 300 million registrations. Please take this as an indicator that the information provided to you is not the result of a database breach, but rather must have come from a different source not supplied by Badoo," the spokesperson said.

Andreev also added that the company uses "a different form of one-way encryption" than MD5, but would not say what.

Nobody has claimed the leaked data as their own, but it almost doesn't matter.
Now that millions of usernames and passwords are sitting in a dark web marketplace, and ready to be bought for a rock-bottom price, the damage is already done.
ZD Net: http://zd.net/1Wcol4M

« E-stonia: Antithesis of Russia
Future Intelligence Sharing In the Syrian War »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Team Cymru Research NFP

Team Cymru Research NFP

Team Cymru Research is a group of technologists passionate about making the Internet more secure and dedicated to that goal.

Teneo

Teneo

Teneo is a Solutions Provider focused on reducing complexity. We combine leading technology with deep expertise to create new ideas on how to simplify IT operations.

Software Testing News

Software Testing News

Software Testing News provides the latest news in the industry; from the most up-to-date reports in web security to the latest testing tool that can help you perform better.

Verve Industrial

Verve Industrial

Verve specialize in providing software and services to help protect and secure critical industrial control systems.

SecuLution

SecuLution

SecuLution is an Antivirus product using Application Whitelisting which offers much more protection than Virus Scanners ever can.

Cynerio

Cynerio

Cynerio develops cybersecurity protections for medical devices, comparing network behavior with a database of medical workflows.

Uleska

Uleska

Uleska is a scalable platform that provides automated and continuous software security testing whilst translating cyber risk.

Lumu Technologies

Lumu Technologies

Lumu is a cybersecurity company that illuminates threats and attacks affecting enterprises worldwide.

Cysiv

Cysiv

Cysiv SOC-as-a-Service combines all the elements of an advanced, proactive, threat hunting SOC, with a managed security stack for hybrid cloud, network, and endpoint security.

ClassNK Consulting Service (NKCS)

ClassNK Consulting Service (NKCS)

ClassNK Consulting provides consulting services to the maritime industry with a focus on safety, security and compliance.

SAM Seamless Network

SAM Seamless Network

SAM Seamless Network is a cybersecurity technology platform that protects the connected home, by tackling cyber security threats at the source.

Zokyo

Zokyo

Zokyo is a venture studio that builds, secures, and funds legendary web3/crypto businesses.

SHI International

SHI International

SHI International deliver against your IT and business needs, helping you build strategies and solutions that will drive innovation, collaboration and security.

Finite State

Finite State

Finite State enables product security teams to protect the devices we rely on every day through market-leading software threat, vulnerability, and risk management.

Forward Global

Forward Global

Forward Global designs and delivers services and technologies to manage digital, economic, and information risks.

Armata Cyber Security

Armata Cyber Security

Armata exists to bring Cyber Security to all people – from home users and SMBs to large enterprises. We believe all users have the right to an affordable yet effective Cyber Security solution.