contador Saltar al contenido

Hacked accounts: record database and the Facebook and Twitter flaws

Stolen data, Once again. Again we find ourselves reporting on display of personal information, concerning 4 billion accounts scattered around the world: numbers even higher than those that involved Yahoo in the 2013 attack, in which all users were hacked. Not only: parallel, too Facebook and Twitter have been affected by a similar case, this time related to (personal) data made visible to third-party developers. These are obviously two different events in their nature, in their consequences and, what is not trivial, in the number of people involved.

4 BILLION ACCOUNTS AFFECTED

4 billion accounts, it was said, per 4TB of material made, in fact, public. It is about one of the most striking cases in history, which according to the initial estimates of Data Viper would have involved at least 1.2 billion people.

  • Number of people involved: 1.2 billion
  • Number of accounts involved: 4 billion
  • Size of found files: 4TB
  • Stolen content: names, email addresses, telephone numbers, personal information published on Facebook and LinkedIn
  • Data source: 2 distinct "data enrichment" companies (data enrichment: from a single information about a person – name, mail – further data are collected to "enrich" the profile of the person himself, to know life style, tastes, movements, … These data are then shared and sold to companies so that they have information on potential customers)

All data was found at http://35.199.58.125:9200, cataloged under the two acronyms PDL is OXY, attributable to two distinct sources that provided the data themselves. According to initial evaluations, PDL would be nothing but People Data Labs, a data enrichment company that collected data of 1.2 billion people, drawing them mainly from LinkedIn.

Curiously, the server discovered would seem not to belong to PDL: the first is hosted on Google Cloud, while PDL API is on AWS. In spite of this, with an escamotage, Data Viper managed to bring the database hosted on the server back to the offending data enrichment company.

The other company involved is OXY, that is OxyData.Io: in this case, 380 million accounts are compromised, whose data would have been largely taken from LinkedIn. Even in this case, the server would not seem to belong to the company.

Research on perpetrators continues, but at the moment we are stopped at an unanswered question? Was it a "wanted" theft or bad data management by data enrichment companies?

FACEBOOK AND TWITTER

Both social networks announced yesterday that they were exposed data of hundreds of users "after they have used their accounts to log in to some Android apps downloaded from Google Play". In this case, the" fault "would not be attributed either to Facebook, or to Twitter, but to an SDK called One Audience which provided third-party developers with access to personal data.

This problem is not due to a vulnerability in Twitter software, but rather to the lack of isolation between the SDKs within an application. Our security team has determined that the malicious SDK, which could be embedded in a mobile app, could potentially exploit a vulnerability in the mobile ecosystem to allow access to personal information (e-mail, username, last tweet) and use the malicious SDK. Although we have no evidence to suggest that this was used to take control of a Twitter account, it is possible for a person to do so.

Twitter is alerting affected users, and claims to have already contacted Google and Apple to try to resolve the vulnerability. The Cupertino company was therefore also involved, although up to now the information that is available would concern only the Android environment.