Information leak: the publication (or trusted announcement of possession) of stolen or otherwise acquired digital information like user profiles, credentials or other digital assets.
Information leaks have happened many times in the recent past. Sometimes, the number of affected people is quite small like in the leak of a customer database of a small web shop, where we probably would try to contact the few affected individuals or their employer’s IT department. But most of the time we face leaks that contain several million people’s private information.
From our experience as a CERT, it is difficult to inform individuals about the actual leak that happened. Too high is the suspicion the actual warning could be a phishing, and hence it is ignored. Testing services (“Is my email part of the leak”) have legal implications and are also problematic from a security perspective.
This document is a new approach to deal with the mass of information leaks. It is our intention to demonstrate the associated risks and suggest appropriate reactions of users of the service that leaked the information by listing the service of an information leak and showing the number of affected users in Luxembourg - as far as we know them.
TR-46 is an always-updated document. All new information leaks are mentioned here, for the case that we either had looked at it ourselves or can trust a source asserting to have access to such a leak.
How do I know if a service was affected?
All the services we know or trustfully believe that have been breached or otherwise lost your personal information are listed in this document. If you are a user of the service, consider yourself in need for action.
Is CIRCL also informing me directly / my ISP / my company?
If the password is in clear, we also try to notify you, respectively through your ISP or company IT security department, in addition to the listing in this document. The notification can be a difficult process especially to avoid that our own notification messages are abused in phishing tactics.
Vendors or service owners respond differently to such an embarrassing situation, and sometimes they are not mature enough to handle the situation properly or even in appropriate reaction time. You will experience that the vendor says that the passwords were stored hashed or encrypted, and that the leak is nothing to be worried about, because no one can do anything with the information. We generally object to this evaluation and show common risks hereafter.
What are the risks of my information being stolen?
- Spam containing malware or phishing to the email address from the leak. Since the people in the leak belong to a ‘common interest group’, a suitable topic can be found easily. There is no password of the account needed for this attack.
- Passwords are sometimes stored in clear or can be decrypted or looked up in hash tables, depending on the implementation. Such acquired passwords can be used to log in into the account where it has been stolen from or in associated accounts where the same combination of username and password is used.
- When attackers have access to the service, they might place orders in your name (online shops, online services).
- Depending on the information the attacker could have had access to (e.g. Mailbox), it is possible that he uses documents (e.g. invoices) to craft legitimate-looking malicious documents and sends it to contacts he could extract, too.
- If credit card data was accessible, it can be used to do purchases on the internet
What should I do if the service I’m using was affected?
To secure access to your account, first change the password you used for this service as soon as possible. Change it also for every other account where the password was re-used.
The next steps are depending on the information contained in the leak: If the Credit Card information is within the leak, contact your issuer to have the card blocked.
In general, if the information leak contained an email address, be very cautious with incoming emails as they could be containing malicious software or phishing documents .
What can I do to prevent collateral damage?
- Use individual passwords for each service (never re-use passwords)
- Enable 2-factor authentication wherever possible
- Select services that just collect a minimum of information from the users
- Select service providers that know how to deal with security incidents and who are transparent and proactive
Reference of leaks
|Reference||Date of Detection||Source of Leak name||confirmed||# of affected in constituency of CIRCL||# total||data fields|
|5019 5444||2011-12-24||Stratfor Leak||y||110||860160||email address, password hashed|
|301885||2016-09-04||unknown||y||12||9999||email address,password clear|
|301989||2016-09-04||LinkedIn related||y||56||11029||email address,password clear|
|304377||2016-09-11||unknown||y||1||443||nr.,email address,password clear|
|304684||2016-09-12||unknown||y||1||2061||registered,email address,password clear|
|305223||2016-09-13||LinkedIn related||y||6||10000||email address, password clear|
|305756||2016-09-14||unknown||y||1||7467||email address, password clear|
|314535||2016-10-01||streamtunes.tv||y||1||1842||email address, password clear|
|315043||2016-10-03||Eurekalert||y||15||10209||email address, password encrypted|
|316607||2016-10-05||Dropbox (2012 Leak)||y||13458||68680742||email/login, password hashed|
|317627||2016-10-07||unknown||y||6||7256||email address, password clear|
|318866||2016-10-10||unknown||y||1||192||email address, password clear|
|318901||2016-10-11||linhofstudio.com||y||1||243||email address, password clear|
|321684||2016-10-19||Brazil, radiestesi related||y||43||13981||email address, password clear|
|322102||2016-10-20||Malware related||y||4||1421||email address, password clear|
|324271||2016-10-27||Malware related||y||13||3731||email address, password clear|
|324449||2016-10-28||Malware related||y||12||6823||email address, password clear|
|325591||2016-10-29||unknown||y||3||1603||email address, password clear|
|325789||2016-10-30||.BR and quimica related||y||1||970||email address, password clear|
|326555||2016-11-01||Malware related||y||1||3607||email address, password clear|
|327236||2016-11-02||unknown||y||3||1338||email address, password hashed|
|327269||2016-11-02||handit related||y||5||9083||email address, password clear|
|327996||2016-11-05||unknown||y||1||500||email address, password clear|
|328348||2016-11-06||In relation with
|y||11||12902||email address, password clear|
|328370||2016-11-06||In relation with
|y||4||3136||email address, password clear|
|328841||2016-11-08||Schokolade related||y||2||2000||email address, password clear|
|329994||2016-11-09||unknown||y||1||2106||email address, password clear|
|331438||2016-11-13||unknown||y||2||16735||email address, password clear|
|331470||2016-11-14||planetdns.net||y||5||1443||email address, password clear|
|333057||2016-11-19||In relation with
|y||1||3706||email address, password clear|
|333090||2016-11-19||unknown||y||1||72||email address, password clear|
|335169||2016-11-24||unknown||y||1||2068||email address, password clear|
|335186||2016-11-24||000webhost.com related||y||1||4540||email address, password clear|
|335320||2016-11-25||000webhost.com related||y||5||14676||email address, password clear|
|336975||2016-11-27||unknown||n||1||489||email address, password hashed|
|336993||2016-11-27||www.pmpf.rs.gov.br||y||0||2121||email address, password hashed,
additional personal data
|338045||2016-11-29||unknown||y||72||42135||email address, password clear|
|338904||2016-11-30||unknown||y||4||73||USER ID, PASSWORD, PHONE NUMBER,
RECOVERY/ALTERNATIVE EMAIL, LOCATION
|339220||2016-12-01||In relation with
cardio & fitness
|y||31||10952||email address, password clear|
|341894||2016-12-04||In relation with
poster & posterfuchs
|y||1||3211||email address, password clear|
|341994||2016-12-04||www.golfersfriend.co.za||y||6||9319||username, email, password hashed, salt|
|344326||2016-12-08||unknown||y||1||1258||email address, password clear|
|344816||2016-12-09||unknown||y||1||24||email address, password clear|
|346932||2016-12-13||unknown||y||1||87||email address, password clear|
|349931||2016-12-17||In relation with
|y||1||7374||email address, password clear|
|350106||2016-12-18||In relation with
Motor, Car, Mini
|y||2||5661||email address, password clear|
|350392||2016-12-19||www.1394store.com||y||21||1349||email address, password clear|
|352791||2016-12-23||unknown||y||2||1289||email address, password clear|
|352924||2016-12-24||unknown||y||6||3734||email address, password hashed,
|353000||2016-12-24||seaoflifeshop.com||y||13||2268||email address, password clear|
|353067||2016-12-25||In relation with
|y||1||1543||email address, password clear|
|353961||2016-12-28||skillab.it||y||1||1410||user name, password hashed, email address|
|354507||2016-12-30||Mom-, Mommy- social
|y||367||106187||email address, password clear|
|354802||2016-12-30||www.shoesontheweb.com||y||29||1863||email address, password clear|
|354821||2016-12-30||unknown||y||2||6910||email address, password clear|
|355785||2017-01-03||www.deezer.com||y||1||728||email address, password clear|
|355879||2017-01-03||Minecraft related||y||1||2812||email address, password clear|
|356313||2017-01-04||Netflix related||y||1||101||email address, password clear|
|357168||2017-01-07||unknown||y||1||1128||email address, password clear|
|359040||2017-01-13||pile44.com, piles44.com||y||26||17472||email address, password clear|
|359306||2017-01-15||ludygames.com||y||3||2549||id, nom, pass, mail, passmd5, description|
|362846||2017-01-28||unknown||y||1||8534||email address, password clear|
|363173||2017-01-29||unknown||y||6||30213||email address, password hashed|
|363488||2017-01-31||twinner.com.tw||y||17||13122||email address, password clear|
|364775||2017-02-04||www.1394store.com||y||7||1102||email address, password clear|
|365343||2017-02-06||www.aantv.com||y||2||11389||email address, password hashed|
|366193||2017-02-09||unknown||y||1||4049||email address, password hashed|
|366831||2017-02-11||unknown||y||2||2727||email address, password clear|
|366834||2017-02-11||www.stirling-modellbau.de||y||3||445||email address, password clear|
|366988||2017-02-11||In relation with chevaux,
|y||4||5406||email address, password clear|
|367210||2017-02-12||unknown||y||2||1000||email address, password clear|
|367554||2017-02-14||unknown||y||2||7931||email address, password clear|
|367890||2017-02-15||unknown||y||23||11048||email address, password clear|
|368077||2017-02-15||Netflix related||y||1||1555||email address, password clear, resolution|
|368585||2017-02-17||plasticker.de||y||8||10349||email address, password clear|
|368690||2017-02-17||unknown||y||2||1008||email address, password clear|
|368729||2017-02-17||Immobilier, France related||y||4||8122||email address, password clear|
|368925||2017-02-18||Stolen from malware||y||3||405||Website, Username, Password, Date|
How do you find these leaks?
At CIRCL, we develop multiple tools to find information leaks. One of the tool is AIL - Analysis Information Leak framework which is an open source software that can be installed to find leak of information in a stream of data. We use such tools to mine the initial information where an analyst review the information to confirm or deny the leak.
If you have any question or suggestion about this topic, feel free to contact us.
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
Revision of the text (not the table)
- Version 1.0 - 05 October 2016 - TLP:WHITE
- Version 1.1 - 30 January 2017 - TLP:WHITE
- Version 1.2 - 10 February 2017 - TLP:WHITE