The OTP-generating firm has some of the top giants as clients including Google, Facebook, Amazon, Apple, Microsoft, Signal, Telegram and Twitter, etc.
A hacker appears to be selling sensitive data they claim to have stolen from an OTP-generating company. This particular company has some of the most popular tech and business giants on its list of customers including Google, Facebook, Amazon, Emirates, Apple, Microsoft, Signal, Telegram, and Twitter accounts, etc.
The same hacker is also claiming to have real-time access to the one-time-password (OTP) system of the company. However, the InfoSec researcher behind the discovery of this alleged breach Rajshekar Rajaharia disagrees with the hacker.
The seller was active on the dark web forum for a long time claiming to sell live access to OTP and 2FA but from what we have seen there are some chances that the data might be old as we have found some clues that changes have been made with dates. Nevertheless, we are still invesitgating because data seems real otherwise, Rajaharia told Hackread.com.
What type of data is being sold?
Rajaharia also shared sample data with Hackread.com which confirmed the presence of One-time codes and although they may not all be usable or valid today, a buyer could potentially find important working stuff in there depending on the platform and its policies.
Amongst other information, it offered to reveal 50GB of exfiltrated data. The access price was dropped from an initial tag of $18,000 to $5,000. Although the firm’s name was mentioned in the listing, it is deemed unethical to share it due to security reasons.
Other data included in the sold pack is personally identifiable information (PII) such as SMS logs, mobile numbers, email addresses, SMPP details, customer documents, and more. The data itself is extensive since it dates back to 2017.
According to the latest development, the seller has moved the listing from the dark web marketplace to Telegram where the sales are being continued but the number of buyers is unknown. The data packs also appear to include ten million OTPs.
The company denies data breach
The company in discussion denied all claims of the data breach and responded by stating that the systems were as secure as ever and the authenticity of the alleged data could not be verified. It also sent a letter to one of its customers National Stock Exchange of India stating that:
We would like to highlight that there are unverified posts and claims being circulated about an alleged data breach at [compay’s name retracted]. Based on the evidence we have seen thus far, it is not from any of our current systems, and therefore we cannot verify the authenticity of the alleged data breach.
Nevertheless, the company did mention being engaged with a third-party expert to help them audit their systems so in case there is a webshell there, it shall be found and uprooted.
Previous reports by Rajshekar Rajaharia
This is not the first time when Rajaharia found sensitive data being sold online. In fact, Rajaharia is known for identifying and reporting high-profile data breaches to relevant authorities. Some of his previous work includes reporting breaches like: