An underground forum called Nulled.io that helped users share stolen credentials, software cracks, and leaked content was hacked earlier this month, spilling a glut of information, including users’ email addresses, encrypted passwords, and IP addresses, among other details.
According to researchers at Risk Based Security who reported the breach last week, a 1.3 GB tar.gz file, which expanded to a massive 9.45 GB SQL file was leaked on May 6. A deluge of information relating to the message board was leaked, including details on roughly 536,064 registered users – and 800,593 personal messages between them, according to the firm.
The site, which ironically goes by the tagline “Expect the unexpected,” is currently offline. A placeholder message claims the service is experiencing “temporary unscheduled maintenance.”
Usernames for patrons of the site were leaked; along with the dates they registered, IP addresses they used to register for the service, and their encrypted passwords. Information on how some users paid, including payment methods, PayPal emails, dates, and costs, listed in table form, were leaked as well.
Other potentially personally identifiable information, including 2.2 million posts, many which were previously private and part of a VIP section, were dumped as well, along with API credentials for three payment gateways, and more than 907,000 authentication logs. According to Risk Based Security, information from those logs – including geolocation data, member ID and IP addresses, and user donation records – could be cobbled together and matched with member ID numbers.
Technically 5,582 purchase records and 12,600 invoices – which link back to those donation records – were also dumped, according to the firm.
It’s unclear exactly how the forum was breached but as Risk Based Security points out, the site was running a type of forum, IP.Board, made by Invasion Power Services, Inc., that has several documented vulnerabilities. The firm notes that 185 total vulnerabilities exist in IP.Board, 92 which don’t have a CVE.
According to a blog post by the firm last Tuesday, the last user to log into the forum did so that previous Friday, May 6, suggesting the breach may have occurred late that night.
Later that weekend, Daniel Cid, CTO/Founder of Sucuri, a web security firm, warned on Twitter that forums could be a “sweet spot” for attackers looking to exploit the ImageTragick vulnerability, adding that he had noticed some attempts against IP.Board, in addition to vBulletin forums.
@danielcid Forums seem to be the sweet spot for #ImageTragick.
— Daniel Cid (@danielcid) May 9, 2016
Vulnerabilities in ImageMagick, a type of open source image processing software, were outlined earlier this month. Attackers could leverage the vulnerabilities by affixing malicious code to an image file that the software processes and in turn, triggers remote code execution.
For what it’s worth, while combing through the Nulled.IO database, Risk Based Security noticed that 365 users who accessed the site used .edu addresses. Eight other users accessed the site via .gov addresses, and emails stemming from government domains in Jordan, Brazil, Malaysia, and Turkey.
When it comes to the leaked information, it likely won’t be too difficult for anyone, law enforcement included, to connect the dots.
“When services such as Nulled.IO are compromised and data is leaked, often it exposes members who prefer to remain anonymous and hide behind screen names,” the firm wrote Tuesday, “By simply searching by email or IP addresses, it can become evident who might be behind various malicious deeds.”
“With this being such a comprehensive dump of data it offers up a very good set of information for matching a member ID to the attached invoices, transactions and other content such as member messages and posts,” the firm warns.
