TR-46 - Information Leaks Affecting Luxembourg and Recommendations

Overview

Information leak: the publication (or trusted announcement of possession) of stolen or otherwise acquired digital information like user profiles, credentials or other digital assets.

Information leaks have happened many times in the recent past. Sometimes, the number of affected people is quite small like in the leak of a customer database of a small web shop, where we probably would try to contact the few affected individuals or their employer’s IT department. But most of the time we face leaks that contain several million people’s private information.

From our experience as a CERT, it is difficult to inform individuals about the actual leak that happened. Too high is the suspicion the actual warning could be a phishing, and hence it is ignored. Testing services (“Is my email part of the leak”) have legal implications and are also problematic from a security perspective.

This document is a new approach to deal with the mass of information leaks. It is our intention to demonstrate the associated risks and suggest appropriate reactions of users of the service that leaked the information by listing the service of an information leak and showing the number of affected users in Luxembourg - as far as we know them.

TR-46 is an always-updated document. All new information leaks are mentioned here, for the case that we either had looked at it ourselves or can trust a source asserting to have access to such a leak.

How do I know if a service was affected?

All the services we know or trustfully believe that have been breached or otherwise lost your personal information are listed in this document. If you are a user of the service, consider yourself in need for action.

Is CIRCL also informing me directly / my ISP / my company?

If the password is in clear, we also try to notify you, respectively through your ISP or company IT security department, in addition to the listing in this document. The notification can be a difficult process especially to avoid that our own notification messages are abused in phishing tactics.

Vendor reactions

Vendors or service owners respond differently to such an embarrassing situation, and sometimes they are not mature enough to handle the situation properly or even in appropriate reaction time. You will experience that the vendor says that the passwords were stored hashed or encrypted, and that the leak is nothing to be worried about, because no one can do anything with the information. We generally object to this evaluation and show common risks hereafter.

What are the risks of my information being stolen?

  • Spam containing malware or phishing to the email address from the leak. Since the people in the leak belong to a ‘common interest group’, a suitable topic can be found easily. There is no password of the account needed for this attack.
  • Passwords are sometimes stored in clear or can be decrypted or looked up in hash tables, depending on the implementation. Such acquired passwords can be used to log in into the account where it has been stolen from or in associated accounts where the same combination of username and password is used.
  • When attackers have access to the service, they might place orders in your name (online shops, online services).
  • Depending on the information the attacker could have had access to (e.g. Mailbox), it is possible that he uses documents (e.g. invoices) to craft legitimate-looking malicious documents and sends it to contacts he could extract, too.
  • If credit card data was accessible, it can be used to do purchases on the internet

What should I do if the service I’m using was affected?

To secure access to your account, first change the password you used for this service as soon as possible. Change it also for every other account where the password was re-used.

The next steps are depending on the information contained in the leak: If the Credit Card information is within the leak, contact your issuer to have the card blocked.

In general, if the information leak contained an email address, be very cautious with incoming emails as they could be containing malicious software or phishing documents .

What can I do to prevent collateral damage?

  • Use individual passwords for each service (never re-use passwords)
  • Enable 2-factor authentication wherever possible
  • Select services that just collect a minimum of information from the users
  • Select service providers that know how to deal with security incidents and who are transparent and proactive

Reference of leaks

Reference Date of Detection Source of Leak name confirmed # of affected in constituency of CIRCL # total data fields
5019 5444 2011-12-24 Stratfor Leak y 110 860160 email address, password hashed
300239 2016-08-30 Vibram y 1 1412 id_utente,username,password,nome,cognome,azienda,
indirizzo_azienda,numero_azienda,cap_azienda,citta_azienda,
stato,ruolo,altro_ruolo,tipologia_azienda,
tipologia_azienda_altro,settore_azienda,settore_azienda_altro,
telefono,nazione,newsletter,data_iscrizione,data_attivazione,
status,codice_attivazione,lingua_preferita,accessi,
ultimo_accesso
301885 2016-09-04 unknown y 12 9999 email address,password clear
301989 2016-09-04 LinkedIn related y 56 11029 email address,password clear
304377 2016-09-11 unknown y 1 443 nr.,email address,password clear
304684 2016-09-12 unknown y 1 2061 registered,email address,password clear
305223 2016-09-13 LinkedIn related y 6 10000 email address, password clear
305756 2016-09-14 unknown y 1 7467 email address, password clear
308417 2016-09-19 zain.com y 4 1846 id,company_id,type,email,phone,status,deleted,
streams,password,last_name,first_name,position,create_date,
prime_stream,access_right,modified_date,
core_bussiness,secondary_stream,attendConference
314535 2016-10-01 streamtunes.tv y 1 1842 email address, password clear
315043 2016-10-03 Eurekalert y 15 10209 email address, password encrypted
316607 2016-10-05 Dropbox (2012 Leak) y 13458 68680742 email/login, password hashed
317627 2016-10-07 unknown y 6 7256 email address, password clear
318866 2016-10-10 unknown y 1 192 email address, password clear
318901 2016-10-11 linhofstudio.com y 1 243 email address, password clear
321684 2016-10-19 Brazil, radiestesi related y 43 13981 email address, password clear
321692 2016-10-19 unknown y 1 5087 OrderInfo,itemType,transactionDate,simType,productCode,
tariffCode,variationCode,firstName,lastName,dateOfBirth,
email,telephoneNumber,county,postcode,isoCountryCode,
streetName,accountHolderName,bankAccountNumber,bankCode
322102 2016-10-20 Malware related y 4 1421 email address, password clear
324271 2016-10-27 Malware related y 13 3731 email address, password clear
324449 2016-10-28 Malware related y 12 6823 email address, password clear
325591 2016-10-29 unknown y 3 1603 email address, password clear
325789 2016-10-30 .BR and quimica related y 1 970 email address, password clear
326555 2016-11-01 Malware related y 1 3607 email address, password clear
327236 2016-11-02 unknown y 3 1338 email address, password hashed
327269 2016-11-02 handit related y 5 9083 email address, password clear
327996 2016-11-05 unknown y 1 500 email address, password clear
328348 2016-11-06 In relation with
equitydevelopment.co.uk
y 11 12902 email address, password clear
328370 2016-11-06 In relation with
pegasomodels.com
y 4 3136 email address, password clear
328841 2016-11-08 Schokolade related y 2 2000 email address, password clear
329994 2016-11-09 unknown y 1 2106 email address, password clear
330355 2016-11-10 apanews.net y 4 329 id_abonne,nom_abonne,pays_abonne,pass_abonne,
emai_abonne,status_abonne,pseudo_abonne,prenoms_abonne
331438 2016-11-13 unknown y 2 16735 email address, password clear
331470 2016-11-14 planetdns.net y 5 1443 email address, password clear
332233 2016-11-15 AdultFriendFinder leak
May 2015
y 38 4175514 id,pwsid,pid,age,sex,domain,prderamount,
first_order_amount,cobrand_id,show_lang,
profile_type,handle,email
332730 2016-11-18 ThePirateGame.net y 2 3531 id,ip,email,host,username,password,fullname
333057 2016-11-19 In relation with
mestrado Brazil
y 1 3706 email address, password clear
333090 2016-11-19 unknown y 1 72 email address, password clear
333233 2016-11-19 kenya-safari.co.ke y 2 4551 cln_id,zip,city,whois,state,email,office,status,mobile,website,
address,website,address,country,lastname,is_admin,
password,username,initials,telephone,othernames,
subscribe_yn,created_date
335169 2016-11-24 unknown y 1 2068 email address, password clear
335186 2016-11-24 000webhost.com related y 1 4540 email address, password clear
335320 2016-11-25 000webhost.com related y 5 14676 email address, password clear
336975 2016-11-27 unknown n 1 489 email address, password hashed
336993 2016-11-27 www.pmpf.rs.gov.br y 0 2121 email address, password hashed,
additional personal data
338045 2016-11-29 unknown y 72 42135 email address, password clear
338904 2016-11-30 unknown y 4 73 USER ID, PASSWORD, PHONE NUMBER,
RECOVERY/ALTERNATIVE EMAIL, LOCATION
339220 2016-12-01 In relation with
cardio & fitness
y 31 10952 email address, password clear
341894 2016-12-04 In relation with
poster & posterfuchs
y 1 3211 email address, password clear
341994 2016-12-04 www.golfersfriend.co.za y 6 9319 username, email, password hashed, salt
344326 2016-12-08 unknown y 1 1258 email address, password clear
344816 2016-12-09 unknown y 1 24 email address, password clear
346932 2016-12-13 unknown y 1 87 email address, password clear
349931 2016-12-17 In relation with
tunesoman.com
y 1 7374 email address, password clear
350106 2016-12-18 In relation with
Motor, Car, Mini
y 2 5661 email address, password clear
350392 2016-12-19 www.1394store.com y 21 1349 email address, password clear
352791 2016-12-23 unknown y 2 1289 email address, password clear
352924 2016-12-24 unknown y 6 3734 email address, password hashed,
password clear
353000 2016-12-24 seaoflifeshop.com y 13 2268 email address, password clear
353067 2016-12-25 In relation with
gabon, adjaho
y 1 1543 email address, password clear
353961 2016-12-28 skillab.it y 1 1410 user name, password hashed, email address
354507 2016-12-30 Mom-, Mommy- social
community related
y 367 106187 email address, password clear
354802 2016-12-30 www.shoesontheweb.com y 29 1863 email address, password clear
354821 2016-12-30 unknown y 2 6910 email address, password clear
355785 2017-01-03 www.deezer.com y 1 728 email address, password clear
355879 2017-01-03 Minecraft related y 1 2812 email address, password clear
356313 2017-01-04 Netflix related y 1 101 email address, password clear
357168 2017-01-07 unknown y 1 1128 email address, password clear
357648 2017-01-09 bunkerindex.com n 2 3985 email address
359040 2017-01-13 pile44.com, piles44.com y 26 17472 email address, password clear
359306 2017-01-15 ludygames.com y 3 2549 id, nom, pass, mail, passmd5, description
362846 2017-01-28 unknown y 1 8534 email address, password clear
363173 2017-01-29 unknown y 6 30213 email address, password hashed
363488 2017-01-31 twinner.com.tw y 17 13122 email address, password clear
364775 2017-02-04 www.1394store.com y 7 1102 email address, password clear
365343 2017-02-06 www.aantv.com y 2 11389 email address, password hashed
366193 2017-02-09 unknown y 1 4049 email address, password hashed
366831 2017-02-11 unknown y 2 2727 email address, password clear
366834 2017-02-11 www.stirling-modellbau.de y 3 445 email address, password clear
366988 2017-02-11 In relation with chevaux,
cheval, truand
y 4 5406 email address, password clear
367210 2017-02-12 unknown y 2 1000 email address, password clear
367554 2017-02-14 unknown y 2 7931 email address, password clear
367890 2017-02-15 unknown y 23 11048 email address, password clear
368077 2017-02-15 Netflix related y 1 1555 email address, password clear, resolution
368585 2017-02-17 plasticker.de y 8 10349 email address, password clear
368690 2017-02-17 unknown y 2 1008 email address, password clear
368729 2017-02-17 Immobilier, France related y 4 8122 email address, password clear
368925 2017-02-18 Stolen from malware y 3 405 Website, Username, Password, Date
373022 2017-03-04 unknown y 1 167 email address, password clear
376065 2017-03-14 Canadian .GOV site y 3 256 email address, password clear
376348 2017-03-15 www.orepeditions.com y 6 844 username, password clear, email address
376993 2017-03-17 Brazul related y 1 255 username, password hashed, email address

How do you find these leaks?

At CIRCL, we develop multiple tools to find information leaks. One of the tool is AIL - Analysis Information Leak framework which is an open source software that can be installed to find leak of information in a stream of data. We use such tools to mine the initial information where an analyst review the information to confirm or deny the leak.

Contact

If you have any question or suggestion about this topic, feel free to contact us.

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision of the text (not the table)

  • Version 1.0 - 05 October 2016 - TLP:WHITE
  • Version 1.1 - 30 January 2017 - TLP:WHITE
  • Version 1.2 - 10 February 2017 - TLP:WHITE