from Hacker News

The unattributable “db8151dd” data breach

by iDemonix on 5/15/20, 8:15 AM with 148 comments

  • by throwaway9993 on 5/15/20, 12:26 PM

    Dataset for sale: [redacted]

    Similar data structure: https://stackblitz.com/edit/angular-soswe4?file=src%2Fapp%2F...

    Owner works for: https://covve.com

    Covve: This simple yet state-of-the-art app will revolutionise your business relations like you've never seen.

    Edit: Response: https://twitter.com/covve/status/1261287954967941120

  • by alexproto on 5/15/20, 1:49 PM

    Hi all, Alex here, CTO at Covve. Just got alerted of incident db8151dd in . We’re investigating as top priority with our security experts what relation this may have with Covve. We are monitoring the feedback in this blog and would really appreciate any additional information you may have on this as we investigate (alex@covve.com).

  • by xenophonf on 5/15/20, 2:53 PM

    Troy's fighting the good fight, but it's so freaking depressing. If he has hundreds of millions of records worth of personal data from just the breaches that have been shared with him, what _else_ is out there in the hands of criminals and corporations, neither of which have the public interest at heart—only naked self interest in exploiting members of the public for as much money as they can get?

  • by Nextgrid on 5/15/20, 8:32 AM

    For the people that use unique per-merchant e-mail addresses (like someone+amazon@...), could you try some of those aliases on HaveIBeenPwned and see which ones come up in this breach? That might shed some light onto its origin.

  • by dgellow on 5/15/20, 10:26 AM

    > Why load it at all? Because every single time I ask about whether I should add data from an unattributable source, the answer is an overwhelming "yes"

    To be fair, you’re asking your followers on twitter. That’s as biased as you can have, I would be really surprised if the majority would say no.

  • by numpad0 on 5/15/20, 10:17 AM

    Could it be Google+? 3 of 3 my Gmail addresses associated with their profile in some way were on it. Two of it I might have used to register a domain, but the last one I used for G+ and one other website only and none of any friends know this. Also I'm not in US or have US background, can't be from American friends' phones or retailer CRM.

  • by londons_explore on 5/15/20, 9:25 AM

    > Recommended by Andie [redacted last name]. Arranged for carpenter apprentice Devon [redacted last name] to replace bathroom vanity top at [redacted street address], Vancouver, on 02 October 2007.

    Given that, surely Troy can contact those people and ask "who knew this info?". Not many people would know who replaced my bathroom vanity top...

  • by typpo on 5/15/20, 11:54 PM

    I use a unique email on my personal domain for everything I sign up for.

    The email contained in this breach is the one I provided to Facebook. It was probably hacked or sold from one of the handful of apps I've connected with FB over the years.

  • by secfirstmd on 5/15/20, 9:58 AM

    One of my emails is currently on:

    "Pwned on 19 breached sites and found 5 pastes.

    If this is public breaches, I would guess in reality I can probably assume it's on double/triple that for sites that have been breached but the data hasn't been posted online.

  • by wincent on 5/15/20, 11:20 AM

    I don't really get the utility of HIBP. The answer to the "have I been pawned?" question is, of course, yes, multiple times. I think about the only way to keep your email out of the hands of the bad guys is to not use it or give it to anyone ever, at which point you don't need an email address.

    What am I supposed to do whenever I'm involved in a new breach? Burn all my accounts and start again?

  • by polote on 5/15/20, 3:49 PM

    After how many breach of ES clusters, Elastic will decide to make their db not accessible from external IP by default ?

  • by r1ch on 5/15/20, 8:55 AM

    Is this dump online anywhere? I got the notification from HIBP but it only tells me my email address appeared and I'm curious how accurate the rest of the data is.

  • by guessmyname on 5/15/20, 8:38 AM

    > Email addresses, Job titles, Names, Phone numbers, Physical addresses, Social media profiles

    I just got the email notification from HIBP (Have I Been Pwned) a few minutes ago [1], but I am not worried about the compromised data because 1) my personal email address, job title and phone number are all visible in my resume which is publicly available in my website, I actually encourage people —mostly tech recruiters— to download the PDF and contact me via email or phone all the time and 2) my physical address is irrelevant because I have been moving houses every year for the last seven (7) years (even across countries a couple of times. All the social media accounts I have are completely empty, I just keep them around to get a hold on to my nickname.

    I recently found, in my website’s HTTP logs, several requests from a web crawler controlled by ZoomInfo [3] an American subscription-based software as a service (SaaS) company that sells access to its database of information about business people and companies to sales, marketing and recruiting professionals. I was going to configure my firewall to block these requests but then I remembered —hey! my website only has information I am comfortable sharing, so it doesn’t matter— but I’ve been thinking it is just a matter of time before someone hacks one of their systems and leaks their database.

    In my previous-previous job I found a fairly simple (persistent) XSS vulnerability in BambooHR that allowed non-authorized users to access data from all employees registered in the website including Social Security Numbers (SSN). I told my boss and we immediately edited everything before migrating to a different system. We never knew if BambooHR fixed the vulnerabilities and I wouldn’t be surprised if the data was leaked before or after I found the security hole.

    Software security is such a Whac-A-Mole game, even if you get the budget to conduct security audits on your code, there is always going to be a weak link somewhere in the chain and that will be your doom. This is one of the many reasons why I left that job as a Security Engineer, the other reasons were Meltdown [3] and Spectre [4] they both made me realize I was fighting for a lost cause.

    [1] https://haveibeenpwned.com/NotifyMe

    [2] https://en.wikipedia.org/wiki/ZoomInfo

    [3] https://en.wikipedia.org/wiki/Meltdown_%28security_vulnerabi...

    [4] https://en.wikipedia.org/wiki/Spectre_%28security_vulnerabil...

  • by throwaway834792 on 5/15/20, 2:07 PM

    Based on a large (over 50 results) domain search for a company I work for, the data I found was very old, circa 2014.

    I know this because almost everyone in the domain search stopped working for the company on or after 2014. Everyone else has worked at the company since 2013 or earlier.

  • by tru3_power on 5/15/20, 6:30 PM

    I did some quick searching for the dataformat included in the snippets from the article. Lots of repos with stored secrets that match:

    https://github.com/acalvoa/SRID_CHANGER/blob/da367e68433b3fd...

    Stored secret:

    https://github.com/acalvoa/SRID_CHANGER/blob/master/config.p...

    Will look more into this later

  • by killswitched on 5/16/20, 3:22 PM

    Some emails that turned up on my end: Dr. Dobbs and New Relic, although the leaks occurred from parties to whom these sites had provided my data, including at least unique email addresses.

  • by forgotmypw23 on 5/15/20, 11:56 AM

    The first thing that comes to mind is recaptcha with some overlays. they would know almost every account you've registered for.

  • by cm2187 on 5/15/20, 1:26 PM

    Does elasticsearch have no authentication by default like mongodb or did someone deliberately make it public?

  • by wnevets on 5/15/20, 5:34 PM

    Am I the only one who dislikes some of those column names?

    isNonIndividual, IsNonVisibleToOthers, ShowableNonVisibleToOthers

  • by wjnc on 5/15/20, 10:47 AM

    Question: It was my understanding that a lawyer could sue the cloud provider for customer details of the cloud service in detail? It would be relevant information in determining liability for leaking this PII.

  • by voidmain0001 on 5/15/20, 6:16 PM

    Firefox Monitor includes the db8151dd data: https://monitor.firefox.com/?breach=db8151dd

  • by jonykakarov on 5/18/20, 12:30 AM

    what I can't understand is that I never heard of this covve app neither most of the affected users in the comment section on reddit or troy website or even here as no one thought of it , and my email does exist on the breach, also the data seem to be huge (103,150,616 rows/90GB)for an app that have about 100k install, need some explanations here.

  • by bluesign on 5/15/20, 12:13 PM

    It’s contact data from iOS and android phones probably scraped via some malware app/apps