Iranians, unfortunately, have been hit hard by Coronavirus and the last thing they would like to have is getting their privacy breached. However, it has happened and an individual is selling personal details of 42 million Iranians on a prominent hacking forum.
Earlier today, researchers at Comparitech identified a misconfigured database hosted on an Elasticsearch server. After analyzing, it was revealed that the database contained a treasure trove of data belonging to 42 million Iranian citizens.
According to a blog post by researchers, the database was originally uploaded by a group of Iranian hackers going by the online handle of “Samaneye Shekar” meaning “Hunting system” in English.
Initially, it was established that the data was scrapped by Telegram since it included user account IDs, usernames, hashes, secret keys, and phone numbers. However, now HackRead.com has learned that the data was scrapped from HotGram and Talagram, two Telegram alternatives used in Iran.
On the other hand, Telegram has also confirmed to the researchers that the database came from an unaffiliated app. It is noteworthy that Telegram is an open source app allowing anyone to create their own versions of it. This helps Iranians use Telegram even when it is blocked due to online censorship in the country.
In a conversation with HackRead.com, a security researcher from Under The Breach who analyzed the sample data indicated that the database has been created with the help of scraping, a process in which data is extracted from other websites or servers.
The data only contained information that is obtainable by scraping and nothing to do with internal messaging so I believe it is a scraping operation done by some company in Iran that would then sell it to 3rd parties.
The researcher also revealed that a few days ago, misconfigured databases on Elasticsearch servers were hit by a worm in which, among others, the particular database was deleted as well. However, before the attack, the database was downloaded several times and one of the downloaders is now selling it on a prominent hacking forum whose name won’t be revealed for privacy purposes.
Although it is unclear how many people have already bought the database, when asked if the database could have an impact with regards to the Coronavirus pandemic, the researcher said”
This data can be used to spread fake news, you could create large groups and spread disinformation, though I don’t believe that was the purpose of the scrape, the researcher explained.
Not for the first time:
In September 2016, HackRead.com received an email in which a hacker going by the online handle of “Leader” shared a trove of data containing personal records and phone numbers of 40 million Iranians. The data was stolen from Iranian ISP Daba and belonged to MTN Irancell users.
Nevertheless, Iranians are not new to such data breaches. In April last year, a local ride-hailing app in the country leaked sensitive data of 1 to 2 million drivers in plain-text format – The misconfigured database was hosted on a MongoDB server.
Elasticsearch and misconfigured databases:
Elasticsearch is an open-source search and analytics engine for all types of data and lately home to tons of misconfigured databases. Earlier this month, a cyber security firm leaked 5 billion records it hosted on the Elasticsearch server. These records including login credentials from previous data breaches including Twitter, Tumblr, Adobe, Vk, LinkedIn, and Last.fm, etc. – No customer data was leaked in the incident.
Just last month, an Israeli company leaked personal data of millions of Americans including their physical address. The database was hosted on an Elasticsearch server as well. In November last year, 4 terabytes of personal records were leaked online – All that without any password.
In another incident, personal and tax records of 20 million Russians were also leaked online. Last month, another Elasticsearch database was exposed and leaked personal data of millions of Americans from a computer in China.
Update – 11:24 – Tuesday, 31 March 2020 (BST)
The Head of Computer Emergency Response Team (CERT) in Iran Mr. Amir Nazemy has confirmed that the data breach indeed took place. In a tweet in the Persian language, Mr. Nazemy said that (Tweet Translated with Google Translate),
Expert Center Report: On Dec. 2 we warned of the insecurity of telegram shells. There is, of course, evidence that this information was collected in another way! The alleged site was identified by the name of the hunt hosted by Raspina. The report will be referred to the prosecution for judicial review.