The leak of leaks: 15 bln records stolen from a breach monitoring service Data Viper

data breach antivirus data leak breach monitoring cyber security data viper

What happened

A cybercriminal with the handle NightLion claims to have breached the data leak monitoring and indexing service called Data Viper, owned by the internet security firm Night Lion Security. Data Viper spokesperson denies this fact and claims that the hacker obtained a small amount of data from their development server. Breach Report team conducted an independent investigation and have some evidence that the company’s statement might not be entirely true.

The hacker wrote in his e-zine that he has spent 3 months on Data Viper servers exfiltrating the databases that the company had indexed to monitor leaks. The attacker says that the service managed by a security researcher Vincent (“Vinny”) Troia is no better than such illegal data aggregating sites as WeLeakInfo and LeakedSource, that have been shut down by police authorities over the past few years. According to the hacker, Data Viper sells data access to private companies, law enforcement agencies, and even some criminal groups such as GnosticPlayers, with whom he allegedly has “special relations”.

The attacker disclosed some Data Viper customer records, including names, e-mails, and hashed passwords. From the look at the domain names, Data Viper clients include Dubai Police Force, FBI, Europol, and some commercial organizations.

Vinny Troia made a statement to the IT magazine ZDNet saying the hacker did access their server but only a development one. He claims that the attacker obtained the databases separately. According to him, these records have been circulating openly on the dark web for many years. It just happens so that Data Viper got the data from the same hacker communities. Vincent Troia also thinks that the attacker is connected with such criminal groups as TheDarkOverlord, ShinyHunters, and GnosticPlayers, which he has exposed in his book published earlier this year.

“I will say the irony of how they got in is absolutely amazing,” Troia stated. “But all of this stuff they claim to be selling is [databases] they were already selling. All of this is from GnosticPlayers. None of it came from me. It’s all for show to try and discredit my report and my talk [at SecureWorld conference].”

 

Analysis by Breach Report

Breach Report analyzed the list containing 8,225 databases allegedly stolen from Data Viper. Indeed, the majority of them have been available openly on the hacker forums before. But some of those bases look as if they are posted for public access for the first time.

This may be connected with the fact that the Data Viper owner sought to differentiate their service by advertising “access to private and undisclosed breach data.” Security researchers wrote in 2018 that Troia has admitted posing as a buyer and seller on various dark web communities to purchase old and newly-hacked databases from other forum members.

Buying breached databases is illegal, even for internet security services. This is why Breach Report does not participate in malicious activities nor engages with the hackers. We access only breaches that can be found publicly or through data breach donations.

The attacker has published on his website a list of 482 JSON files that contain samples of stolen data. Breach Report team has also analyzed them. These are valid databases that were available openly on the dark web. However, the way data is organized raises doubts in the credibility of Troia’s statement. All samples have the same data structure and organization that differs from original leaks. Structuring 482 samples or even all 8,225 bases looks like too much work for a hacker with the only goal to re-sell them.

Here are some screenshots of three samples published by the hacker:

 

Some databases leaked from Data Viper have already appeared in the Dark Web in free access. So on one of the hacker forums NightLion posted dumps belonging to Bukalapak.com, Bookmate.com, Coubic.com and JCPenney.com. Most of the data was not encrypted and looked the same as in the samples. Also on August 5, a large dump containing 20 million emails and passwords was uploaded. The hacker claims that he bought it from the NightLion for $500. When we checked it out, it turned out that the database was completely taken from combolist known as Collection #1. 

If we suppose that these bases were stolen from Data Viper, then it compromises the company even more, because a cybersecurity firm should not store raw data. There are ways to avoid such complications.

 

Standards of breach monitoring

We at Breach Report approach data management very differently. When we are working with a dump file, we analyze and process it. All records, including e-mails, are hashed before being added to our base. We work solely with emails and passwords and only indicate that additional sensitive information was compromised in the original leak. We use the slowest and most reliable encryption method called Argon2, which received an award at the Password Hashing Competition. We don’t store the original databases.

Breach Report does not sell or trade personal information. We apply the “zero-knowledge proof” principle, so our employees do not have access to personal information, and users can access it only after email/domain ownership validation.

Our personal data management complies with international standards, such as GDPR, CCPA, LGPD, and others. All this allows us to avoid user data leaks.

 

Tips on user data management

Not everybody has access to cutting-edge encryption technologies, so we have prepared some advice to keep user data safe on cloud storage platforms.

1. Use cloud services with data encryption or install additional software to encrypt the most important documents.

2. Use strong passwords and 2FA.

3. Check data access settings. Don’t give open access to your data, don’t post links publicly, revoke the access to the data when it’s no longer needed.

4. Clean the recycle bin and deleted files folders.

5. Keep track of the apps that use your data and try to avoid them all together.

6. Switch on the new device log-in notifications.

7. Make sure to clean all your data and access to services on the devices that you sell or gift.

8. Log off after you finish using the device, especially if you are not the only user of it.

9. Set backup recovery of the account with the use of a phone or the second e-mail.

10. Monitor personal data beaches with reliable services such as Breach Report.