LeakedSource: 'Assume Every Website Has Been Hacked'Breach Notification Service Claims 'Bigger Fish' To Be Announced
LeakedSource has been at the forefront of the major data breaches of late. The subscription-based breach notification service, which launched last year, has often been first to obtain massive troves of stolen data, including credentials for users of LinkedIn, MySpace and most recently, the international social networking site Badoo.com and the Russian site VK.com, also known as Bkohtakte or Vkontakte.
LeakedSource says it has cultivated a relationship with Tessa88@exploit.im, a mysterious figure who has supplied it with several batches of data for free. It's unclear why Tessa88 is releasing the data now because the breaches actually occurred years ago.
But the leaks have sent a shiver through major web services: Which one is going to be next? (see MySpace Fallout: More Big Breaches to Come?). It has also caused headaches for web services that have not been breached, as hackers are trying to see if leaked credentials work for these entities, too (see TeamViewer Bolsters Security After Account Takeovers).
A LeakedSource representative who didn't want to be named told Information Security Media Group in an instant messaging chat that there are "bigger fish" coming. "We hesitate to name names until we have confirmed things, but just assume every website has been hacked," the representative said.
Data for Sale
In early March, Tessa88 put several posts on underground forums advertising the data he held. He was apparently trying to find a buyer, with price points per 1 million credentials.
For example, 1 million MySpace credentials were priced at $150, 1 million VK.com credentials could be had for $40, and 1 million Dropbox credentials for $150. He also listed credentials for other services, including Badoo, Qip, Rambler.ru and Mobango.
Tessa88 also listed the number of credentials he possessed for every service. For example, he claimed to have 380 million MySpace credentials and 137 million for VK.com. The numbers haven't been far off: it has been confirmed that about 360 million MySpace credentials were released, and LeakedSource says the VK.com breach had about 100 million.
It's unclear if Tessa88 actually has Dropbox credentials. On June 1, Chris Peterson, Dropbox's head of engineering, told ISMG that Dropbox was aware of Tessa88's post from early March, but those credentials were mislabeled and from another breach.
Security blogger Brian Krebs wrote on June 2 that Lifelock and several other identity theft firms sent out alerts of a possible Dropbox breach, which turned out to be false. The 73 million credentials labeled as belonging to Dropbox actually was data from a 2013 breach at Tumblr.
The LeakedSource representative says the company hasn't seen Tessa88's Dropbox data, but says it would be hard for Dropbox to know what Tessa88 claims to have unless the company has obtained it.
After it loaded the VK.com data into its service, the LeakedSource representative says his company received a flood of traffic to its website. "There wasn't a single complaint about inaccurate data," the representative says.
In a Russian-language statement, VK.com didn't directly confirm a breach but said the data did not contain active logins. The website strengthened its password security around 2012.
On June 2, LeakedSource also added credentials from Badoo.com, another social networking service, to its search engine. Badoo.com hasn't responded to queries from ISMG.
The LeakedSource representative says the company is now in contact with Badoo.com and trying to verify if a breach occurred. The news site Motherboard reported on June 2 it was able to link some of the Badoo.com credentials to active accounts but that the service denied being breached.
Troy Hunt, who runs a data breach notification service called Have I Been Pwned, says he has the VK.com data but not the Badoo.com batch. "Both of them are questionable in terms of legitimacy," he says.
Data breaches can be difficult to verify because underground brokers sometimes amass data from several leaks in a mislabeled bundled.
All of the data is now for sale on TheRealDeal, an underground marketplace hosted on a Tor hidden service. The vendor goes by the nickname "peace_of_mind" and would appear to be a separate person from Tessa88. And they reportedly aren't friends.
"On the contrary, they actually hate each other for some reason," the LeakedSource representative claims.
The reason behind why all of the breaches have been released in rapid succession remains unknown, even to LeakedSource. "We're not sure on that one," the representative says.
It is likely related to economics. Typically, the older that data is, the less useful it is to hackers because people change their passwords. LeakedSource says in some cases it has been three to five years since some services were breached. The prices listed on TheRealDeal are also at a drastic discount from Tessa88's posting in early March.
"They could have sold the databases 100 times for $5,000 each by now and no longer care," the LeakedSource representative says.