This Week: Unhappy Accidents and Avoidable Leaks

Next: Economics of the Dark Web: Let It Be,...
Previous: This Week: Ransomware Goes Gold
That'll do, pig. That'll do.
January 13, 2017

The Terbium Analyst Team is on the front-line of combatting dark web myths and legends. Whether it's a threat report, white paper, or blog post, the Analyst Team's job is to know things and speak intelligently about them. Other interests include weightlifting, chocolate, and accumulating obscure dark web trivia to amuse and confuse our co-workers.

What do a typo, a hacked database, and a tweet have in common? Leaked credentials. This week we saw three major leaks that could have been avoided. While we are constantly advised to be on the lookout for malicious actors, sometimes we are our own worst enemies.

You Had One Job

An email from the National Australia Bank (NAB) containing 60,000 customer names, addresses, emails, branch, account number, and NAM identification number was sent to an email address at rather than While the bank is working to ensure the accounts are secure, the personal information these sixty thousand users is now beyond the bank’s control.

Portal Brazil mistakenly posted a tweet with a link containing all their passwords including Instagram, Facebook, and Gmail. The link was attached to a tweet saying the National Force will remain another 60 days in Rio Grande do Norte. A note, written in red, by one of the passwords said “do not change the password ever”. After the incident, the post was deleted and Portal Brazil changed their passwords - supposedly. Not a good day.

Regardless of how quickly an organization realizes their mistake, the damage is already done. The organization earns a reputation of carelessness with their (and others’) data, and there’s a strong likelihood that others saw (and saved) the information.

But Wait, There’s A Tool For That

There exists a myriad of tools that automatically crawl, copy, and save sensitive information (mistakenly) posted online. Most of the time these robots are written with malicious intent, as they seek to monetize and exploit human error.

But some of these automatic tools have a more noble quest. Truffle Hog, a python program which was recently published on Github, allows programmers to scan the source code they’ve published online for any credentials (i.e., API keys) left hard-coded in the files. (The program even scans all previous versions of your code).

Breaches from external actors will always remain a big threat, but as individuals, businesses, and governments steadily accrue lengthy lists of credentials, human error becomes an increasingly costly mishap.

One more thing

In the world of data breaches, not even one of the world’s most beloved kitties is safe. A list of 3.3 million Sanrio user credentials surfaced including 180,000 accounts belonging to underage users. Sanrio, the parent company of Hello Kitty, denied this information was stolen in a leak or a breach in 2015, but the current available data matches the other leaked information.

The information includes names, birthdates, gender, country of origin, emails, usernames, unsalted SHA-1 hashed passwords, and password hints. This leak comes as yet another hit in the wake of the ongoing exploitation of MongoDB database vulnerabilities. As of Monday 27,000 databases were hijacked.

analysis June 24, 2019
New Research: Terbium Labs Uncovers Pervasive Links Between Fraud and Transnational Crime

Terbium Labs investigated the links between payment fraud and serious transnational crime. This research begins to fill a gap in understanding about the use of fraudulent financing in some of the most heinous crimes...

analysis April 17, 2019
Terbium Labs Investigates Dark Web Fraud Guides for an Inside Look on Cyber Crime

With our latest research, Fraud Guides 101: Dark Web Lessons on How to Defraud Companies and Exploit Data, Terbium Labs investigates dark web fraud guides to create a detailed, first-hand account of the illicit...