Cyber Threat Intelligence @ securitydiscovery.com, journalist, OSINT | Responsible disclosures | Security consultancy | Contact me: bob@diachenko.net

Germany/Ukraine 🇺🇦
OK, #TikTokBreach is real. Our team analyzed publicly exposed repos to confirm partial users data leak.
64
1,353
4,231
👀
214
395
2,799
2,078,240
[BREACH ALERT] 280M+ records in this Indian database, publicly exposed. Where to report? @IndianCERT ?
109
677
1,648
A wide open bucket full of scanned Aadhar and PAN cards (126k records). Not sure where to report but @IndianCERT
35
300
715
A popular Chinese mobile phone manufacturer collects this type of info from its devices and stores on a public server: IMEI, serial, cpu serial, fuzzy location with geo, device name/type, wifi mac and IP (if available).
26
159
523
119,640
This is how they monitor and analyze our tweets now
37
158
424
More than 6.7M Iranian IDs exposed: names, SSN, phone numbers. Reported to Iranian CERT, but if you have a better contact please let me know.
25
135
421
Unprotected Elasticsearch cluster exposed personal data on millions of Iranian 🇮🇷 citizens, incl.: - 46M+ Instagram accs+phones - 1.2M+ Twitter accs +phones - 180K+ Telegram accs+phones +other info (cars, voters, sims, phones locations). Now cluster is destroyed. More info later
34
111
405
This could be the biggest collection of carefully collected and exposed personal data I've seen in India. 250M+ resumes, almost 1/5 of country's population left unattended. Name, address, employment history, DOB, skills, email, mobile/land ph, education, salary level. More later
22
226
403
Apparently, this is the TSC (Terrorist Screening Centre) dataset publicly exposed (tsc_id is the only clue), with 1.9M+ records. In any case, any thoughts as of where to responsibly report?
74
153
376
Raychat (@Raychat_io), popular Iranian business and social messenger, exposed its entire database (267M+ accounts w/ names, emails, passwords, metadata, encrypted chats etc.). DB is now destroyed by bot attack. No response from the company.
13
107
382
A totally random discovery (thanks to Trufflehog!) of tons of PII and non-public information on its way to the remediation thanks to you, my followers.
9
6
341
98,367
[BREACH ALERT] One of the largest EU-based virtual cards operator exposed its server, with 67M+ records, incl.: - sender name/email/DOB/geo - a card's message - receiver's name/email/geo - sender's IP Database spans 2014-2022 (hence the size), includes FR/DE/ES/IT locales. 1/2
10
103
266
ICYMI: We found Trump's email server passwords in plain text and did not read his mails, because we are wearing white hats here. forbes.com/sites/leemathews/…
13
110
252
Data is likely to come from Hangzhou Julun Network Technology Co., Ltd rather than TikTok. Still, the question is, why is there so much data?
14
24
252
Breach alert: on Apr 7th 🇧🇷-based fintech IUGU exposed its entire database, incl. ALL customers and account details: emails, phones, addresses, invoices etc. IP with 1.7TB indexed by Shodan, I immediately alerted the company, db was taken down within an hour. No response.
21
82
241
At the same time thousands of LastPass login pairs were found in the recent Redline Stealer malware logs I reported earlier... Coincidence?
7
53
228
NEW RESEARCH: Only 3 hours after #Shodan indexed our #MongoDB #honeypot, a Chinese IP connected to it, wiped it out in 13 seconds and left a ransom note. More info: mackeepersecurity.com/post/h…
5
154
227
I am currently looking at 1B+ records and can't exactly tell what is this
22
17
166
Received anonymous tip on another (?) Facebook data circulating in the darkweb: 2,377,841 records with UID / username / location / email. UIDs are incrementally sorted, from 100000000003XXX to 999998XXX. Is that part of 2018 breach?
6
50
155
Again, local assistance required to isolate HUGE exposure of PII docs! This time - Colombia 🇨🇴. EPS Sanitas, part of Keralty [@Keralty_EurAsia] int'l group, exposes MILLIONS of scanned insurance docs of Colombian citizens + passports. No response for weeks.
7
63
133
65,748
Mir24, one of the federal tv channels, inadvertently left its video repository production keys in the wild. So this is what happened next.
6
28
108
[NEW REPORT] The Independent, a UK-based newspaper, exposed one of its S3 repos (which apparently was designed to be public but contained other files), with subscribers info from 2014-2018, incl.: full name, address, password, DOB, phone, email, IP, geo, interests. etc. 1/2
4
34
119
Just came across a giant database with more than 202 Million Chinese CVs, with pretty much detailed info. - name, email, phones, genders, child counts, marriage status, politics stat (?) - and, of course, skills, work history etc. Any ideas where to report?
28
56
116
There is no such thing as 'free VPN'. In this case (Iranian?) product named Topvpn[.]cc (100k+ d/l on playmarket) accidentally exposed its logs with collected users data: user agents, IPs, ID+tokens w/expiration date, geo, referrers, etc.
2
37
104
44,784
Current developments on this as of Sep 27: - I got in touch with AWS security team so they would contact the owner of the secret keys/buckets and get them rotated/secured; - Apparently, someone responsible for the gov't portal IT maintenance was made aware of this "overlap" and cleaned up the configuration file (no secrets now); - However, the "cleaned up" file in question STILL contains references to the external S3 bucket(s) which is STILL publicly listed and downloadable (of course, it contains PII); - As soon as every issue is addressed, I will publish a report with the additional details.
2
22
115
29,422
This is getting ridiculous. Database is real-time updated and now +8GB in size. Do I have French-based researchers or local media reps to contact these guys directly on the ground? @troyhunt - will keep you updated soon
[SOON] One of the biggest job agencies in France leaking all their candidates info, including: social security cards (+scans), names, emails, physical addresses, mobile phones, job history, links to S3 buckets with info (access key+sign). More than 2M rec. No response. #GDPR
10
74
103
Imagine how it feels
3
47
107
Looks like 'they' found a way to abuse Twitter API and get emails and/or phone numbers too (see my previous posts earlier today). It wasn't a surprise for Instagram and Telegram data but first time with @Twitter if I'm not mistaken.
4
27
96
Have these leaks been reported earlier?
5
11
88
37,074
OK, what we have here is: email, first/last name, full address, zip, phone number, and IP. Almost 57 Millions of records sitting in open Internet.
3
30
88
Petco Mexico (@Petco) had a 'cyber security' incident as a result of MongoDB misconfig, with PII of its customers exposed in the wild for 24h+ at least. Order detail, phone, email, name : 3.8M+ records. Luckily, quickly addressed after my resp. disclosure. No comment though.
2
31
93
So, it took cyber criminals only 2 days to find and wipe out an unprotected MongoDB with almost 5 Million records of Mexican electronic invoices (CFDI), with a lot of PII involved. Data seemed to be managed by yet-unknown provider, with some big companies on board...
9
79
83
[SOON] One of the biggest job agencies in France leaking all their candidates info, including: social security cards (+scans), names, emails, physical addresses, mobile phones, job history, links to S3 buckets with info (access key+sign). More than 2M rec. No response. #GDPR
8
73
83
BravoVPN exposed IPs of its customers. 58M+ records. Most IPs come from Asia and Middle East regions. Each IP has a unique userID. No other sensitive information leaked, only IPs and userIDs (plus uptime). Is this a violation of privacy? Owners never replied to my emails.
2
25
82
These are the companies which had payroll invoices (4+ Million) compromised in the MongoDB leak in Mexico last week. Owner of DB is still unknown, but data is now wiped out, with a ransom note demanding 0.5BTC. Need your help to find out who was reponsible for making it public.
13
81
80
New Elasticsearch bot attack does not contain any ransom or threats, just 'meow' with a random set of numbers. It is quite fast and search&destroy new clusters pretty effectively
7
42
69
[NEW REPORT] Please don't be surprised when you receive another data breach alert from @haveibeenpwned and @troyhunt and we tell you why here: blog.hackenproof.com/industr…
2
40
72
Iranian exposure: Bargheman(.)com- large "official portal for inquiry and payment of electricity bills of the electricity distribution companies" (site is only seen from IR-based IPs) leaks users PII (name/ID/mobile/email), partial CC, meters data. 484K+ records and updating r/t.
6
25
71
[NEW REPORT] Misconfigurations happen - no matter how big or secured a company is. Here is my new report. 250M+ million Microsoft's Customer Service and Support (CSS) records were exposed on the web. comparitech.com/blog/informa…
2
42
70
172M+ Taiwain and Chinese citizens personal data exposed: ID Card Number, name, phone number, DOB, company, address etc.
5
23
68
Insomnia Cookies [@insomniacookies] left almost all of their prod credentials exposed via publicly accessible dot-env file on one of its IPs (indexed by all IoT search engines). Silently secured after responsible disclosure, no response.
3
6
66
One of the biggest CIS-based online casinos exposed its entire prod env via passwordless 580GB+ MongoDB for months. Looks like all of its millions-sized userbase info was there: names/phones/emails/DOB/location/IP/partial payment info etc. + internal passwords/tokens. Now secured
3
25
69
[UPDATE ON IRANIAN DATABASE INCIDENT] @TAP30_ir @nima @kh_ashkan
3
13
67
Did you know that Whirlpool scans your IoT appliances every hour and collects data such as email, SAID, model name and number etc? I found their exposed MongoDB with this data and responsibly disclosed it. Report coming up today.
6
44
65
We set up Elasticsearch honeypot and watched it destroyed. Over three dozen attacks occurred before the database was even indexed by search engines like Shodan / BinaryEdge: comparitech.com/blog/informa…
5
28
69
Confirmed. Everyone is affected. Or you are not on the Internet.
I have a major #Databreach announcement tomorrow - 1.2 BILLION people exposed from a single organization. More details soon. @lilyhnewman @troyhunt @MayhemDayOne @DataViperIO
5
37
64
I must say I really enjoyed my conversations with different reps of @Razer support team via email for the last couple of week, but it did not bring us closer to securing the data breach in their systems.
10
15
62
[NEW REPORT] Here is what we know on that large Indian data leak I've discovered this week securitydiscovery.com/delhi-…
2
33
60
UPDATE: while there is definitely a breach, it is still work in progress to confirm the origin of data, could be a third party.
OK, #TikTokBreach is real. Our team analyzed publicly exposed repos to confirm partial users data leak.
2
24
58
Thank you all for the support - I am expecting to hear more from potentially affected company very soon and will update the story / publish report as soon as I have final info.
3
54
I am from Ukraine and Hackerone not sending bounties here as well (they owe me like 3k usd since Feb). I guess they simply disabled payouts to the entire country, no matter if it is occupied or not. Right @Hacker0x01 ?
Today, Hackerone took $25k from me, because I am a belarusian citizen. 1/9
1
11
54
Finally we will have some sleep today. It's been 2 days when we woke up after Russia bombed Kyiv but feels like an entire life. Had to leave our cat to friendly people in Lviv. Stand with Ukraine. These are Putin's last days.
2
3
54
[NEW REPORT] 800+ Million emails/IPs/names/addresses/DOBs leaked online by email verification service - and this is just a tip of an iceberg. Read more here: securitydiscovery.com/800-mi…
5
38
56
[BREACH ALERT] On July 20th, a huge dataset of popular social media influencers data points was accidentally exposed/indexed. Apparently part of Campaygn (an influencers marketing firm). In total, 9 nodes were exposed. Total count of records: 231M+. Now secured, no response. 1/
3
23
57
database is now secured!
2
1
53
Mexican #breachalert: 21,419,493 records, incl.: RFC (tax ID), name, phone, address, full credit card number (!), credit line amount. All exposed via unprotected anonymous ES cluster end of Aug. Now taken down. Source of data is yet unknown.
2
34
54
[UFO VPN STORY UPDATE] After the exposed data had been secured, it resurfaced a second time on July 20 at a different IP address - all of the records destroyed now by a new “Meow” bot attack.
4
26
49
[NEW REPORT] Here is my short take on what happened. Call me old-fashioned but I would prefer to have an Internet-disconnected dishwasher these days securitydiscovery.com/whirlp…
3
23
50
Indonesia anyone? 🇮🇩 Thousands of highly sensitive airforce stuff clearance documents exposed online, incl. passport scans, PII etc of accredited personnel from around the world, e.g. Lockheed Martin people.
4
25
49
Redline Stealer malware logs with more than 6M records were exposed online, publicly (now taken down). Internationally sourced data, exfiltrated in Sept and Aug 2021. RS is the key source of identity data sold on online criminal forums since its initial release in early 2020.
5
13
50
And in pre-final, Halloween-ish twist of DashVPN/FreeVPN.org data exposure event...
2
8
47
A global hospitality industry SaaS operator exposed its database with almost 5M reservations details, incl. names, DOBs, VIP status, PmsID, Passport Nos and emails of guests of big chain hotels wwide. First seen on Shodan on Feb 11, db is now quietly secured. More to follow
1
26
47
Officially: starting today, I have joined @Hacken_io team and will be assisting them to develop/deploy security services and, of course, spread knowledge and cyber hygiene rules all around the globe with my reports and investigations. Stay tuned!
5
8
49
yet another giant email/name/phone/IP collection database used by a direct marketing company - 22 million records. Quick check of some emails on @troyhunt @haveibeenpwned did not show any previous breaches..
2
31
45
[NEW REPORT] More than 259M patients records exposed as a result of Elasticsearch misconfig incident in Indian cloud hospital management system called eHospital. It was launched 2015 as one of the government initiatives to digitise governance in the country. Now secured. 1/2
1
15
48
Confirmed - there are duplicates in the dataset so the total number of unique records is less than 6.7M. My estimation is 1-2M
5
1
44
OK, Twitter - now I need follwers from Brazil to alert local business on leaky database. HBook, part of @hsystemtec exposed half of million of booking requests, credit card info, passwords, profile details etc. No response yet.
12
52
42
Is this good enough for a "Twitter Data Breach" story?
3
12
44
Security team at @ClaroVideo - please respond to my email, there is a configuration issue with one of your servers, exposing customers data (email, username, ID, pwd hash etc): @ClarovideoCO / @ClaroVideoPE / @ClaroVideoBr and other.
4
26
48
An Iranian server (Telegram clone app?) hosted dataset with 10M Israeli citizens info, presumably part of larger Truecaller leak (which they never confirmed). Data included: phone, name, email, TC photo link, Whatsapp status/avatar etc. Now taken down.
3
19
45
Someone left exposed private keys/transfer IPs/balances details for a number of 1400+ high-profiled BTC wallets (e.g. each one with 7-9k BTC). Most marked as 'active'. 🧐
6
8
44
Another #Instagram related data breach - almost 3M records exposed, with UID/username and emails. Can't recall when emails were part of similar things, @zackwhittaker ?
16
42
Still exposed. Passwordless database of DashVPN/FreeVPN.org users and their info. No response or whatsoever.
Since Fri I've been trying to get in touch with someone from ActMobile [@ActMobile] to responsibly alert that their VPN userbase (45M+) info (email, pwd, IPs, devices etc) is exposed to public but no luck. Incl. but not limited to @DashVPN, FreeVPN.org. Anyone?
3
15
43
OK, I know that @fs0c131y has all-Indian attention now, but an Indian data collector company is exposing half a million of detailed records of Delhi citizens and not responding to alerts.
7
31
42
I would like to publicly thank Meta/Facebook. For the last couple of months I reported 3 (three) Facebook databases to @Meta scraping bug bounty program; and was awarded totally 23,200 USD which are aimed for GlobalGiving’s Ukraine Crisis Relief Fund. 🇺🇦🇺🇦🇺🇦
1
6
44
I'm sure many people saw this when it was up: 11,651,162 enriched Instagram profiles; 81,551,567 Facebook; 66,117,839 LinkedIn. All IG data w/emails, phones. According to some indirect proofs, this data was gathered by a Chinese-based marketing company, SocialArks.
1
21
41
[UPD] Many 'verified' Twitter accounts data exposed, geo is not limited by IR. E.g.: @AnthonyAdragna, @SattarSaeedi, @roxannevarza, @BahramRadan , @HRHMediaOffice and more. Emails including.
Unprotected Elasticsearch cluster exposed personal data on millions of Iranian 🇮🇷 citizens, incl.: - 46M+ Instagram accs+phones - 1.2M+ Twitter accs +phones - 180K+ Telegram accs+phones +other info (cars, voters, sims, phones locations). Now cluster is destroyed. More info later
3
10
37
How come that @McDonalds does have proper security contact page and does not have proper incident response protocol when leaking production AWS keys?
3
5
40
[NEW REPORT] Seems like this is the biggest personal data exposure in the modern history of Brazil. Read more: blog.hackenproof.com/industr…
4
35
42
correction - not 250M, but 275M+ records
2
3
41
Hi @CSDThailand - there is a huge passwordless repository exposed with PII of "aliens" and TH-citizens who entered the country + more sensitive info, please respond to my email or provide a valid contact to report (I was able to find my passport, too!). @ThaiCERT informed.
4
31
40
Found a database with 50M users' scraped LinkedIn data, owner unknown. Data fields include emails, names, professional info, company info, skills, location etc. Mysterious 'talent_iq' and 'force' categories - any ideas where that might come from?
6
19
37
After @zackwhittaker covered EE leak, I ran a couple of queries on Sonarqube. Shocked to see more than 3K+ instances available, with roughly 30-40% of them set without auth, and almost half of those containing source code with prod data. Big names involved, another area to cover.
2
6
38
WTF @Hacker0x01 ???
I'm from Ukraine too. Recently received answer from HackerOne that Ukraine is under the sanctions of the USA. This statement is false. Because sanctions were imposed against the countries aggressors (Russian Federation, Belarus).
11
32
Yamaha Music AU [@yamahamusicau] secured data exposure via index dir. after my alert w/o any notice. Data was searchable at least for a month. Apart from 'live database' and all types of configs, orders were public: name, email, phone, SKU and address (ca.2k cust. from 2021).
3
12
39
23,163
Do I have followers from Sweden ready to assist in responsible disclosure? Trying to email/call the company but have only voicemail in Swedish. Children tracking and monitoring platform left all their digital keys online (db passwords, admin creds, AWS key, API secrets etc etc)
7
19
32
Seems like @AmexIndia exposed its #MongoDB for a while, with some really sensitive data (base64 encrypted). Now secured (just when I was preparing responsible disclosure), but question remains how long it was open. Found with @binaryedgeio engine.
6
21
38