Comparitech along with IT security researcher Bob Diachenko, have discovered a massive trove of login credentials that were exposed to public access without any authentication or security.
In 2017, HackRead exclusively reported about DoubleFlag, a hacker who was selling one billion user accounts stolen from several Chinese Internet giants including QQ, Sina, and Tencent, etc. Now, the same data has been identified to be hosted on an exposed IP address.
According to a blog post from Comparitech, the database was home to over 2.7 billion email addresses along with 1 billion passwords in plain-text format. In total, the database contained 1.5 TB of data which is ideal for cyber criminals to carry out spam and other malicious attacks.
In addition to email addresses and passwords, the records contained MD5, SHA1, and SHA256 hashes of each email address. Hashes are encrypted text—the email address, in this case—with a fixed length, wrote Paul Bischoff of Comparitech in a blog post.
The database was discovered on December 1st, 2019 indexed on the BinaryEdge search engine. The owner of the database could not be identified therefore Diachenko contacted the ISP where the IP address of the exposed database was hosted and on December 9th, the access to the data was shut down.
However, what’s noteworthy is that the database updated itself with new records. For instance, when the database was identified it contained 2.6 billion records but it increased to 2.7 billion while researchers carried out background checks on the exposed data.
Another important aspect highlighted by researchers at Comparitech was that Chinese users often use their phone numbers as usernames based on the fact that English is hardly spoken in the country and poses obvious difficulties in identifying English characters. Therefore, researchers believe that most leaked email addresses are based on users’ phone numbers.
The full list of domains whose data was exposed in the database are mentioned below:
Netease: 322 million records
Tencent: 130 million emails
Sina: 31 million records
Sohu: 23 million
Some data from Tom Online, Eyou, Nate, Google (Gmail), Yahoo (YahooMail) and Hotmail (Hotmail.com) was also included in the database. The list is exactly what HackRead reported back in 2017.
Anurag Kahol, CTO at Bitglass told HackRead that, “What stands out about this incident is the sheer volume of records that were left publicly accessible. The number of people affected in this event eclipses that of a recent security debacle wherein another database containing 1.2 billion records was left exposed.”
“When massive amounts of consumer information are compromised, it enables cybercriminals to execute highly targeted phishing campaigns. Malicious actors can even use these swathes of personally identifiable information (PII) to hijack specific accounts that have access to more sensitive information, including banking, healthcare, and other accounts,” said Anurag.
Consumer data is precious, and it is imperative that the proper controls are in place to secure it. To prevent future incidents, organizations must have full visibility and control over their customers’ data (no matter where it is stored or accessed) by leveraging solutions that enforce real-time access control, detect misconfigurations through cloud security posture management, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data leakage,” Anurag explained.
As for DoubleFlag, the hacker who was originally behind this breach is also the mastermind of several other large-scale data listings on dark web marketplaces like Hansa and AlphaBay. Some of their listings included Dropbox, BitcoinTalk.org, Mail.ru, Yandex.ru, Brazzers, Epic Games, ClixSense, Experian, WhoIs, user accounts from 11 separate Bitcoin forum breaches, and United States Cellular Corporation (U.S. Cellular), etc.