Friday 18 January 2019

Independent Investigation into the 773 Million Records - "Collection #1"

On 17 January 2019, media reports concerning an article posted by Troy Hunt where a huge trove of data with nearly 773 million records were exposed in a giant 87GB archive. On the same day, Brian Krebs posted an article stating that the 773 million password "Megabreach" were most likely to be old data.

So on the night of 18 January, I started to conduct my own research and investigation to find out more about this Megabreach. Using the screenshot of the database trove posted on Troy Hunt's website, I decided to start digging...

Screenshot of the 'archive' posted on Troyhunt.com

Taking some of the texts in the screenshot, I found a link that many of the domains (listed in the screenshot) were also listed in a list called "dumplist.txt" posted on 28 September 2018.

Thousands of 'hacked DBs' dumps. No data - just the names of the dumps.

According to Troy Hunt, he was directed to a post in a well known hacking forum - that was where the screenshot was taken from. I was able to find the forum and i believed this was the forum Troy Hunt was referring/redirected to.

Posted on a forum known for hacking, cracking and even advertising hacked DBs

Upon further inspection of the screenshot/post, I noticed the naming convention was quite interesting and realized that this was most likely copied and pasted from the dumplist.txt. Two samples of similarities are highlighted below:

Same naming convention and structure

Troy Hunt also posted the list of "allegedly hacked databases" amounting to over 2000 'DBs' on Pastebin: https://pastebin.com/UsxU4gXA

While I was cross-referencing Troy Hunt's list to dumplist.txt and confirming my view that some (or most) of the hacked DBs were listed in that dumplist.txt using the exact naming convention, mirrored word by word, i also identified a Pastebin content which has most of these DBs listed in its content.

Posted on 29 August 2018

A total of 8301 presumable hacked DBs
This list, not only has the same naming convention, but also contains over 8000 allegedly hacked DBs. This list however was posted on 29 August 2018!

According to Troy Hunt and Brian Krebs, these data from Collection #1 are all a collection or compilation of previous data breaches and advertised as a 'new' database for sale. I took the liberty to research some of the samples 'hacked' DBs to identify if these DBs were indeed not new. To achieve this, I cross reference a hacked DB from the latest Pastebin content posted (by Troy Hunt), then looked at the contents from 2018 posts.

Using kabarindonesia[.]com as a sample

For this particular example, the hacked DB allegedly belonging to kabarindonesia[.]com was present in all the lists. Additionally, this was further confirmed from Breach Aware that kabarindonesia[.]com was one of the victims involved in the data breach of early 2018.

kabarindonesia[.]com pointed as one of the victims of a past data breach

Now further investigation reveals that the screenshot on the hacking forum posted on Troy Hunt's website was not the ground zero. I was able to identify a forum post (a different forum from the one in Troy Hunt's website) that was selling databases similar to the ones in Collection #1.

A typical advertisement in hacking forums

The list of databases for sale in this advertisement

Upon closer inspection of the data advertised, there seems to be a similar offering to the contents of Collection #1. I assess (with medium confidence) that the data advertised in the forum is also possibly included in the bigger data in Collection #1 (right).

Possibly same data, different seller and databases

Now according to Brian Krebs, his interaction with the seller known as "Sanixer" on Telegram reveals that Collection #1 (87GB) was just the beginning of the bigger 993.36GB (almost 1TB) data dump. This was being sold for just $45!

The Telegram User Sanixer (below right)

While Sanixer was offering/advertising the 1TB data for $45, I spotted a forum post who was actually giving this away for free!!! Apparently the forum user was unhappy claiming that Sanixer was sharing his "Infinity Black Combo" in that storage. As an act of retaliation, he posted links to all the 1TB data that can be accessed for free!!

Links to the 1 TB data! 

And to make things worse, other forum users were spotted posting links to these data as well. The post below was posted on 9 January and another 19 January.

Another set of links to the 1 TB data

Another post from a different forum 

Due to ethics, I did not download any of these content, however I took screenshots of these content to show what was being offered.

Screenshot of Collection 1

Screenshot of Collection 2

Screenshot of Collection 3

Screenshot of Collection 4

Screenshot of Collection 5

Screenshot of Antipublic 1

Screenshot of Antipublic 2
In conclusion, I believe that most (if not all) of these data are not new but could be either bought or downloaded from existing databases in the deep web. While some researchers or journalists published this 'breach' as the biggest or largest breach, allow me to recollect your memory to the 1.4 Billion credentials leak of 2017 - reported by 4iQ and the Exploit[.]in compilation of over 592 Million accounts (leaked databases) in the same year. I have a feeling that this 1 TB of data advertised in the underground community is merely a compilation of previous and past years breaches until mid 2018.

No comments:

Post a Comment