UPDATE: Based on further analysis along with discussions with journalists, it appears that this credit card dump contains valid, but older card data that had been previously disclosed. To date, there is no solid evidence this represents a new breach.
The last couple of weeks have seen tensions rising between Russia and Ukraine, and along with it an increase in computer crime.
Sometime earlier this morning, a post allegedly by Anonymous Ukraine has claimed to have published “more than 800 million credit cards” by releasing four archives: Visa, Mastercard, American Express, and Discover cards. Based on the initial analysis by Risk Based Security, the number appears to come to a total of 955,579 cards.
While such an attack does not appear to be directly related to the political strife between Ukraine and Russia, it does raise significant issues for card processors and consumers if the leak is legitimate.
Anonymous Ukraine has posted a short message to Pastebin that includes the following:
Today we publish the first part of our exposure of the international financial system Visa, MC, Discover & Amex, enslaved people around the world. More than 800 million credit cards. Over a trillion dollars.
Each of the four archives appear to have valid card numbers, bank routing numbers, and full names. The dump of information does not contain the credit card CCV (Card Verification Value) or card expiry information. Without this information, committing fraud with the leaked information may be more difficult.
At this time, there is no indication where the data comes from or if it is from a single source or multiple. Risk Based Security and the DatalossDB project will continue to examine the data and investigate in hopes of determining more information about the breach.
Update 7:40P EST – In addition to the 1 million cards disclosed earlier, Anonymous Ukraine has followed up with an additional leak of over 6 million more cards announced in a Tweet. Initial analysis of the new dump by RBS shows 6,064,823 new cards. That breaks down to 668,279 American Express, 3,255,663 Visa, 1,778,749 Mastercard, and 362,132 Discover. Counting the disclosure earlier today and the subsequent dump, the grand total now sits at 7,020,402. Upon cursory examination, a majority of cards seem to come from United States banks. Among the information released, approximately 4,000 come with full user data including social security number, credit card, card card expiry, name, pins, floats, dates of birth, states, and zip codes. The new Pastebin dump from the group also suggests the data may come from ATMs or POS systems.