analysis

This Week: Unhappy Accidents and Avoidable Leaks

That'll do, pig. That'll do.
January 13, 2017

What do a typo, a hacked database, and a tweet have in common? Leaked credentials. This week we saw three major leaks that could have been avoided. While we are constantly advised to be on the lookout for malicious actors, sometimes we are our own worst enemies.

You Had One Job

An email from the National Australia Bank (NAB) containing 60,000 customer names, addresses, emails, branch, account number, and NAM identification number was sent to an email address at nab.com rather than nab.com.au. While the bank is working to ensure the accounts are secure, the personal information these sixty thousand users is now beyond the bank’s control.

Portal Brazil mistakenly posted a tweet with a link containing all their passwords including Instagram, Facebook, and Gmail. The link was attached to a tweet saying the National Force will remain another 60 days in Rio Grande do Norte. A note, written in red, by one of the passwords said “do not change the password ever”. After the incident, the post was deleted and Portal Brazil changed their passwords - supposedly. Not a good day.

Regardless of how quickly an organization realizes their mistake, the damage is already done. The organization earns a reputation of carelessness with their (and others’) data, and there’s a strong likelihood that others saw (and saved) the information.

But Wait, There’s A Tool For That

There exists a myriad of tools that automatically crawl, copy, and save sensitive information (mistakenly) posted online. Most of the time these robots are written with malicious intent, as they seek to monetize and exploit human error.

But some of these automatic tools have a more noble quest. Truffle Hog, a python program which was recently published on Github, allows programmers to scan the source code they’ve published online for any credentials (i.e., API keys) left hard-coded in the files. (The program even scans all previous versions of your code).

Breaches from external actors will always remain a big threat, but as individuals, businesses, and governments steadily accrue lengthy lists of credentials, human error becomes an increasingly costly mishap.

One more thing

In the world of data breaches, not even one of the world’s most beloved kitties is safe. A list of 3.3 million Sanrio user credentials surfaced including 180,000 accounts belonging to underage users. Sanrio, the parent company of Hello Kitty, denied this information was stolen in a leak or a breach in 2015, but the current available data matches the other leaked information.

The information includes names, birthdates, gender, country of origin, emails, usernames, unsalted SHA-1 hashed passwords, and password hints. This leak comes as yet another hit in the wake of the ongoing exploitation of MongoDB database vulnerabilities. As of Monday 27,000 databases were hijacked.

About the author
Analyst Team The Terbium Analyst Team is on the front-line of combatting dark web myths and legends. Whether it's a threat report, white paper, or blog post, the Analyst Team's job is to know things and speak intelligently about them. Other interests include weightlifting, chocolate, and accumulating obscure dark web trivia to amuse and confuse our co-workers.