Hacker who stole 620 million records strikes again, stealing 127 million more

A hacker who stole close to 620 million user records from 16 websites has stolen another 127 million records from 8 more websites, TechCrunch has learned.

The hacker, whose was listing the previously disclosed data for about $20,000 in bitcoin on a dark web marketplace, stole the data last year from several major sites — some that had already been disclosed, like over 151 million records from MyFitnessPal and 25 million records from Animoto. But several other hacked sites on the marketplace listing didn’t know or hadn’t disclosed yet — such as 500px and Coffee Meets Bagel.

The Register, which first reported the story, said the data included names, email addresses, and scrambled passwords, and in some cases other login and account data — though, no financial data was included.

Now the same hacker has 8 additional marketplace entries after their original listings were pulled offline, including:

  • 18 million records from travel booking site Ixigo
  • Live video streaming site YouNow had 40 million records stolen
  • Houzz, which recently disclosed a data breach, is listed with 57 million records stolen
  • Ge.tt had 1.8 million accounts stolen
  • 450,000 records from cryptocurrency site Coinmama.
  • Roll20, a gaming site, had 4 million records listed
  • Stronghold Kingdoms, a multiplayer online game, had 5 million records listed
  • 1 million records from pet delivery service Petflow

According to the hacker’s listings, Ixigo and Petflow used the old and outdated MD5 hashing algorithm to scramble passwords, which these days is easy to unscramble. YouNow is said to have not scrambled user passwords at all.

In all, the hacker is selling the hacked data for about $14,500 in bitcoin.

The dark web marketplace listing for Houzz. (Image: TechCrunch)

Ariel Ainhoren, research team leader at Israeli security firm IntSights, said that the hacker may have used the same security flaw to target vulnerable sites.

Six of the 16 databases were running the same back-end PostgreSQL database software, said Ainhoren in an email to TechCrunch. In successfully exploiting the bug, the hacker was able to “dump” the database to a file and download it.

“We’re still analyzing it, but it could have been that he used some kind of vulnerability that surfaced around that time and wasn’t patched by these companies or a totally new unknown vulnerability,” he said. “As most of these sites were not known breaches, it seems we’re dealing here with a hacker that did the hacks by himself, and not just someone who obtained it from somewhere else and now just resold it.”

When reached, Jonathan Katz, a contributor for PostgreSQL, said the open-source project was “currently unaware of any patched or unpatched vulnerabilities that could have caused these breaches.”

“There are many factors that need to be taken into consideration when securing a database system that go beyond the database software. We have often found that data breaches into a PostgreSQL database involve an indirect attack attack vector, such as a flaw in an application accessing PostgreSQL or a suboptimal policy around data management,” he said. “When it comes to vulnerabilities, the PostgreSQL community has a dedicated security team that evaluates and fixes issues and, in the spirit of open source collaboration, transparently reports on and educates our users about them.”

None of the other companies immediately returned a request for comment, except YouNow, which said that its “security experts are looking into this situation but we cannot respond until we have more information.”

We’ll have more as we get it.

Cybersecurity 101: Five simple security guides for protecting your privacy

With hundreds of millions of people home for the holidays, now is a better time than ever to spread good tidings and cheer, and — well, some much-needed security advice for all the family.

Security sounds complicated, but it doesn’t have to be. Privacy is more important than ever. With an ever-changing and evolving landscape of threats and hacks, breaches and vulnerabilities, there’s no better time of the year to help your family navigate some of the most basic but effective security tips. (Let’s face it, you were bound to end up being called on for tech support at some point anyway.)

We’ve put together five how-to guides covering cybersecurity basics that anyone can learn — and everyone should learn, including:

Buggy software in popular connected storage drives can let hackers read private data

Security researchers have found flaws in four popular connected storage drives that they say could let hackers access a user’s private and sensitive data.

The researchers Paulos Yibelo and Daniel Eshetu said the software running on three of the devices they tested — NetGear Stora, Seagate Home and Medion LifeCloud — can allow an attacker to remotely read, change and delete data without requiring a password.

Yibelo, who shared the research with TechCrunch this week and posted the findings Friday, said that many other devices may be at risk.

The software, Hipserv, built by tech company Axentra, was largely to blame for three of the four flaws they found. Hipserv is Linux-based, and uses several web technologies — including PHP — to power the web interface. But the researchers found that bugs could let them read files on the drive without any authentication. It also meant they could run any command they wanted as “root” — the built-in user account with the highest level of access — making the data on the device vulnerable to prying eyes or destruction.

We contacted Axentra for comment on Thursday but did not hear back by the time of writing.

A Netgear spokesperson said that the Stora is “no longer a supported product… because it has been discontinued and is an end of life product.” Seagate did not comment by our deadline, but we’ll update if that changes. Lenovo, which now owns Medion, did not respond to a request for comment.

The researchers also reported a separate bug affecting WD My Book Live drives, which can allow an attacker to remotely gain root access.

A spokesperson for WD said that the vulnerability report affects devices originally introduced in 2010 and discontinued in 2014, and “no longer covered under our device software support lifecycle.” WD added: “We encourage users who wish to continue operating these legacy products to configure their firewall to prevent remote access to these devices, and to take measures to ensure that only trusted devices on the local network have access to the device.”

In all four vulnerabilities, the researchers said that an attacker only needs to know the IP address of an affected drive. That isn’t so difficult in this day and age, thanks to sites like Shodan, a search engine for publicly available devices and databases, and similar search and indexing services.

Depending on where you look, the number of affected devices varies. Shodan puts the number at 311,705, but ZoomEye puts the figure at closer to 1.8 million devices.

Although the researchers described the bugs in moderate detail, they said they have no plans to release any exploit code to prevent attackers taking advantage of the flaws.

Their advice: If you’re running a cloud drive, “make sure to remove your device from the internet.”

Password bypass flaw in Western Digital My Cloud drives puts data at risk

A security researcher has published details of a vulnerability in a popular cloud storage drive after the company failed to issue security patches for over a year.

Remco Vermeulen found a privilege escalation bug in Western Digital’s My Cloud devices, which he said allows an attacker to bypass the admin password on the drive, gaining “complete control” over the user’s data.

The exploit works because drive’s web-based dashboard doesn’t properly check a user’s credentials before giving a possible attacker access to tools that should require higher levels of access.

The bug was “easy” to exploit, Vermeulen told TechCrunch in an email, and that it was remotely exploitable if a My Cloud device allows remote access over the internet — which thousands of devices are. He posted a proof-of-concept video on Twitter.

Details of the bug were also independently found by another security team, which released its own exploit code.

Vermeulen reported the bug over a year ago in April 2017, but said the company stopped responding. Normally, security researchers give 90 days for a company to respond, in line with industry-accepted responsible disclosure guidelines.

After he found that WD updated the My Cloud firmware in the meanwhile without fixing the vulnerability he found, he decided to post his findings.

A year later, WD still hasn’t release a patch.

The company confirmed that it knows of the vulnerability but did not say why it took more than a year to issue a fix. “We are in the process of finalizing a scheduled firmware update that will resolve the reported issue,” a spokesperson said, which will arrive “within a few weeks.”

WD said that several of its My Cloud products are vulnerable — including the EX2, EX4, and Mirror, but not My Cloud Home.

In the meantime, Vermeulen said that there’s no fix and that users have to “just disconnect” the drive altogether if they want to keep their data safe.

Tortuga Logic raises $2 million to build chip-level security systems

 Tortuga Logic has raised $2 million in seed funding from Eclipse Ventures to help in their effort to maintain chip-level system security. Based in Palo Alto, the company plans to use the cash to build products that will find “lurking vulnerabilities” on computer hardware. The founders, Dr. Jason Oberg, Dr. Jonathan Valamehr, Professor Ryan Kastner of UC San Diego, and Professor… Read More

Twitter says Vine users’ emails and phone numbers were exposed for a day, but weren’t misused

 Twitter is alerting Vine users of a bug that exposed their email addresses and, in some cases, phone numbers to third parties. It’s also advising affected users to be cautious about any emails from unknown senders as a result. The company says the bug was only active for 24 hours before being patched, and doesn’t believe that the data was misused in any way, at this time.… Read More

Cloudbleed investigation turns up a million leaks but no signs of exploitation

cloudbleed2 Since Cloudflare revealed a bug that caused random chunks of data to leak from customer websites, including Fitbit and OkCupid, the company has worked to determine the extent of the problem. It turns out that the vulnerability caused extensive leaks — which isn’t much of a surprise, given the sheer number of websites that use Cloudflare for its security and performance… Read More

Cloudbleed investigation turns up a million leaks but no signs of exploitation

cloudbleed2 Since Cloudflare revealed a bug that caused random chunks of data to leak from customer websites, including Fitbit and OkCupid, the company has worked to determine the extent of the problem. It turns out that the vulnerability caused extensive leaks — which isn’t much of a surprise, given the sheer number of websites that use Cloudflare for its security and performance… Read More

Cisco and Fortinet say vulnerabilities disclosed in ‘NSA hack’ are legit

FILE PHOTO  NSA Compiles Massive Database Of Private Phone Calls A group calling itself the Shadow Brokers dumped data online this weekend that it claimed to have stolen from the Equation Group, a hacking team widely believed to be associated with the NSA. Firewall makers Cisco and Fortinet have now confirmed that vulnerabilities included in the data dump affected their products — a disclosure that lends credence to the theory that the Equation Group… Read More