Monthly Archives: December, 2013

Data, data everywhere! Where it comes from, nobody really knows?

While there are still a few weeks left in 2013, it has already been the most severe in terms of data breaches in the last 10 years with over 705 million records lost. In addition, 4 of the top 10 data breaches of all time happened in 2013, with the top spot now belonging to Adobe (at least for the moment).

The Adobe breach was discovered and brought to light by Brian Krebs and information security researcher Alex Holden back in October (Brian Krebs is an Advisor to Alex Holden’s company). When the leak was first announced it was said to be about 2.9 million records but soon after the figure changed to what is now confirmed to be approximately 152 million records. Adobe has commented on the amount of data and users impacted a few times, and is expected to provide an update when their investigations are completed. The data has been stated to have a lot of duplicates as well as false data including usernames (email addresses) and encrypted passwords. This data was allegedly obtained directly from Adobe’s servers by unknown hackers who are also said to have obtained data from several other well known sites as well.

Early investigations by Krebs appear to have uncovered major breaches after they obtained the complete database of SSNDOB, an underground carding and personal information website. The SSNDOB investigation uncovered a lot of high profile names like LexisNexis Inc., Dun & Bradstreet, and Kroll Background America, Inc. all of which were hacked and used as a massive database for the SSNDOB website. In addition, another was the Cupid Media breach which exposed 42 million accounts and according to Brian Krebs was found on the same server as the Adobe data as well as NW3CM and PR News Wire.

One item which does not seem to be fully addressed is how Brian Krebs and Alex Holden were able to obtain this data. In one of the posts, there was a mention that they“discovered a massive 40 GB source code trove stashed on a server” but still their methods were not abundantly clear. There are several deep web monitoring services available and we have confirmed that at some point the Adobe data was available for purchase for a whopping $6 dollars. However, speculation in some circles have been that this data was originally acquired from a private server and therefore to obtain the data they would have had to have illicit access to the server themselves.

Regardless of the method used to obtain the data, at this point what they have done is help to raise the awareness of several massive breaches that have impacted millions of people around the world. As we move forward, was this type of discovery a one off or will we see more data breach disclosure in this fashion?