UPDATE: Based on further analysis along with discussions with journalists, it appears that this credit card dump contains valid, but older card data that had been previously disclosed. To date, there is no solid evidence this represents a new breach.
The last couple of weeks have seen tensions rising between Russia and Ukraine, and along with it an increase in computer crime.
Sometime earlier this morning, a post allegedly by Anonymous Ukraine has claimed to have published “more than 800 million credit cards” by releasing four archives: Visa, Mastercard, American Express, and Discover cards. Based on the initial analysis by Risk Based Security, the number appears to come to a total of 955,579 cards.
While such an attack does not appear to be directly related to the political strife between Ukraine and Russia, it does raise significant issues for card processors and consumers if the leak is legitimate.
Anonymous Ukraine has posted a short message to Pastebin that includes the following:
Today we publish the first part of our exposure of the international financial system Visa, MC, Discover & Amex, enslaved people around the world. More than 800 million credit cards. Over a trillion dollars.
Each of the four archives appear to have valid card numbers, bank routing numbers, and full names. The dump of information does not contain the credit card CCV (Card Verification Value) or card expiry information. Without this information, committing fraud with the leaked information may be more difficult.
At this time, there is no indication where the data comes from or if it is from a single source or multiple. Risk Based Security and the DatalossDB project will continue to examine the data and investigate in hopes of determining more information about the breach.
Update 7:40P EST – In addition to the 1 million cards disclosed earlier, Anonymous Ukraine has followed up with an additional leak of over 6 million more cards announced in a Tweet. Initial analysis of the new dump by RBS shows 6,064,823 new cards. That breaks down to 668,279 American Express, 3,255,663 Visa, 1,778,749 Mastercard, and 362,132 Discover. Counting the disclosure earlier today and the subsequent dump, the grand total now sits at 7,020,402. Upon cursory examination, a majority of cards seem to come from United States banks. Among the information released, approximately 4,000 come with full user data including social security number, credit card, card card expiry, name, pins, floats, dates of birth, states, and zip codes. The new Pastebin dump from the group also suggests the data may come from ATMs or POS systems.
Today The Syrian Electronic army via their Twitter account @Official_SEA16 announced that they have leaked the Forbes WordPress user database not long after it was announced that they had managed to hack their website.
This breach is quite substantial and includes 1,056,986 unique emails addresses and accounts with 844 of them being government (.GOV) and 14,572 educational accounts (.EDU). In addition, the dump contains credentials from a Forbes wp_users database and contains 564 Forbes.com based emails including administrators accounts.
Forbes has posted a statement to their Facebook page regarding the breach urging all users to reset their password on the Forbes network and on any other sites they may have used the same credentials.
Security message: Forbes.com was targeted in a digital attack and our publishing platform was compromised. Users’ email addresses may have been exposed. The passwords were encrypted, but as a precaution, we strongly encourage Forbes readers and contributors to change their passwords on our system, and encourage them to change them on other websites if they use the same password elsewhere. We have notified law enforcement. We take this matter very seriously and apologize to the members of our community for this breach.
As Eduard points out that although the passwords are encrypted, the email addresses are still very useful. In addition, it is not clear the type of the encryption used and there is still a potential that they can easily be decrypted. It is clear that this breach has the potential to pose a significant risk for many of their users.
Breakout of just a few type of email domains:
185, 271 yahoo.com
While there are still a few weeks left in 2013, it has already been the most severe in terms of data breaches in the last 10 years with over 705 million records lost. In addition, 4 of the top 10 data breaches of all time happened in 2013, with the top spot now belonging to Adobe (at least for the moment).
The Adobe breach was discovered and brought to light by Brian Krebs and information security researcher Alex Holden back in October (Brian Krebs is an Advisor to Alex Holden’s company). When the leak was first announced it was said to be about 2.9 million records but soon after the figure changed to what is now confirmed to be approximately 152 million records. Adobe has commented on the amount of data and users impacted a few times, and is expected to provide an update when their investigations are completed. The data has been stated to have a lot of duplicates as well as false data including usernames (email addresses) and encrypted passwords. This data was allegedly obtained directly from Adobe’s servers by unknown hackers who are also said to have obtained data from several other well known sites as well.
Early investigations by Krebs appear to have uncovered major breaches after they obtained the complete database of SSNDOB, an underground carding and personal information website. The SSNDOB investigation uncovered a lot of high profile names like LexisNexis Inc., Dun & Bradstreet, and Kroll Background America, Inc. all of which were hacked and used as a massive database for the SSNDOB website. In addition, another was the Cupid Media breach which exposed 42 million accounts and according to Brian Krebs was found on the same server as the Adobe data as well as NW3CM and PR News Wire.
One item which does not seem to be fully addressed is how Brian Krebs and Alex Holden were able to obtain this data. In one of the posts, there was a mention that they“discovered a massive 40 GB source code trove stashed on a server” but still their methods were not abundantly clear. There are several deep web monitoring services available and we have confirmed that at some point the Adobe data was available for purchase for a whopping $6 dollars. However, speculation in some circles have been that this data was originally acquired from a private server and therefore to obtain the data they would have had to have illicit access to the server themselves.
Regardless of the method used to obtain the data, at this point what they have done is help to raise the awareness of several massive breaches that have impacted millions of people around the world. As we move forward, was this type of discovery a one off or will we see more data breach disclosure in this fashion?
It appears that Capital One has announced a new program for helping non-profit organizations to raise funds (see picture). According to the plan, all rewards earned on these cards, including one percent of net purchases and an additional $25 with the first purchase, go directly to support the affiliated nonprofit organization. As a 501(c)(3), OSF is wondering if anyone might be interested in obtaining a DataLossDB Capital One card to make donating easier (and to help the economy!). We’re also accepting other ideas for card designs, such as “CHECK ID” on the front (thanks, Sullo!). Please contact us if this idea interests you or if you have any suggestions.
Also, we would like to announce that BreachCenter.com is now online. Intersections Inc. has partnered with Financial Services Roundtable and ITAC, the Identity Theft Assistance Center, to provide this service, and OSF is contributing information on recent data breaches to the site. BreachCenter.com also features news and opinions from the ITAC blog. Please check them out when you can.
Lastly, T-Mobile has been in the news recently regarding an apparent data breach, which may or may not have involved its customers’ personal information. According toUSA Today, “The document ‘copied’ by the hacker Pwnmobile did not get into his hands via a hack, the company says. Information in the document is legitimate T-Mobile data, but is not customer information. Investigators can’t yet say for certain how Pwnmobile got his mitts on a copy of the document.” So while details are still sketchy, we’re following the story and will post information to the DataLoss Mail List as it becomes available.
More news to follow later in the week!
Posted by Lyger.