During our threat intelligence hunt, we stumble upon different contents, especially those of the Dark Web. There are numerous surprises because no one can really tell which of the breaches are critical and impacting until you know what is inside. One perfect example is a data breach broker within a notorious forum posted his collection of databases for a fee.
Here is an outline of the text format of the post:
| Breached Business | Affected Lines | Password format | Date of Breach |
| Juspay.in | 100 million | No Password | 2020-08 |
| Teespring.com | 8,2 million | SHA1-Salted | 2020-06 |
| MyON.com | 13 million | Bcrypt | 2020-06 |
| Knockcrm.com | 6 million | PBKDF2-SHA256 | 2020-04 |
| Mindful.org | 1,7 million | Bcrypt | 2020-01 |
| Clickindia.com | 8 million | MD5 | 2020-08 |
| Chqbook.com | 1 million | Bcrypt | 2020-08 |
| Bigbasket.com | 20 million | SHA1-Salted | 2020-10 |
| Reddoorz.com | 5,8 million | Bcrypt | 2020-09 |
| Hybris.com (SAP.com) | 4 million | MD5-Salted and PHPass | 2020-01 |
| Wedmegood.com | 1,3 million | SHA512 | 2020-09 |
| Wongnai.com | 4,3 million | MD5 | 2020-09 |
| Geekie.com.br | 8,1 million | Bcrypt | 2020-08 |
| Anyvan.com | 4,1 million | MD5 and Bcrypt | 2020-09 |
| Accuradio.com | 2,2 million | PBKDF2-SHA256 | 2019-02 |
| Everything5pounds.com | 2,9 million | SHA1-Salted and PHPass | 2020-09 |
| Cermati.com | 2,9 million | Bcrypt | 2020-01 |
| Netlog.com (Twoo.com) | 53 million | Plaintext | 2012-11 |
| Reverbnation.com | 7,8 million | SHA1-Salted | 2014-04 |
| Fotolog.com | 32 million | SHA256-Salted | 2018-12 |
| Pizap.com | 60 million | No Password | 2018-05 |
| ModaOperandi.com | 1,2 million | Bcrypt and SHA1-Salted | 2019-03 |
| Eventials.com | 1,4 million | PBKDF2-SHA256 | 2020-10 |
| Wahoofitness.com | 1,7 million | Bcrypt | 2020-07 |
| Sitepoint.com | 1 million | Bcrypt | 2020-06 |
| Singlesnet.com | 16 million | Plaintext | 2012-09 |
All websites breached contain useful information from email addresses up to personally identifiable information. However, the member who posted the contents for sale is new to the forums. Therefore, we cannot 100% say that all of them are verified. Yet, for threat actors, these are opportunities for phishing intelligence operations. Nonetheless, the money that can be made from these leaked pieces of information is likely to be profitable if done right. What is outstanding from the list is the leak on Juspay.in.
Juspay data breach is about 100 Million cardholders’ Data Leaked
The data contained in the Juspay breach should alarm financial institutions in India because here are the following details based on the SQL query are available:
- DROP TABLE IF EXISTS `stored_card`;
- /*!40101 SET @saved_cs_client = @@character_set_client */;
- /*!40101 SET character_set_client = utf8 */;
- CREATE TABLE `stored_card` (
- `id` varchar(64) NOT NULL,
- `version` bigint(20) NOT NULL,
- `card_brand` varchar(20) DEFAULT NULL,
- `card_exp_month` varchar(2) NOT NULL,
- `card_exp_year` varchar(4) NOT NULL,
- `card_fingerprint` varchar(64) DEFAULT NULL,
- `card_isin` varchar(6) NOT NULL,
- `card_issuer` varchar(64) DEFAULT NULL,
- `card_last_four_digits` varchar(4) NOT NULL,
- `card_reference` varchar(64) NOT NULL,
- `card_token` varchar(64) DEFAULT NULL,
- `card_token_of_vault_provider` varchar(64) DEFAULT NULL,
- `card_type` varchar(20) DEFAULT NULL,
- `customer_id` varchar(128) NOT NULL,
- `date_created` datetime NOT NULL,
- `last_updated` datetime NOT NULL,
- `masked_card_number` varchar(32) NOT NULL,
- `merchant_account_id` bigint(20) NOT NULL,
- `name_on_card` varchar(255) DEFAULT NULL,
- `nickname` varchar(255) DEFAULT NULL,
- `vault_provider` varchar(32) NOT NULL,
- `card_global_fingerprint` varchar(64) DEFAULT NULL,
- `metadata` text,
- PRIMARY KEY (`id`),
- UNIQUE KEY `id` (`id`),
- KEY `FKAED8DE2C37947956` (`merchant_account_id`),
- KEY `card_token` (`card_token`),
- KEY `customer_id` (`customer_id`),
- KEY `card_global_fingerprint_idx` (`card_global_fingerprint`),
- KEY `card_reference_idx` (`card_reference`)
- ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
- /*!40101 SET character_set_client = @saved_cs_client */;
Our source of the above data came from the Data Broker himself. According to our threat intelligence team, numerous financial institutions, particularly banks issuing credit and debit cards, are affected. For privacy reasons, we cannot release the list of affected banks and individuals publicly on this advisory.
iZOOlogic thinks that recovering this data is essential
iZOOlogic thinks that recovering this data is essential, especially for affected institutions with the data breach. Why? As these data passes on to threat actors and malicious blackhats, the higher the chances that their customers and brand reputation will be affected. The information that comes with the breach when possessed by a brilliant adversary may lead to severe repercussions. These can be used for more future data breaches, identity fraud, and carding activities that may involve unauthorized transactions. We generally do not encourage companies to buy from Data Breach Brokers, but recovering them as early as possible will help you secure the data by identifying the compromised data and avoid any chargeback complaints from your customers as a result of this breach. In other words, once you have the lead of those that got compromised, you can take further action before any adversary takes advantage of those data. It is a race between multiple adversaries and the business that are affected.
