Someone Hacked the Hackers: 500K Accounts Leaked Online

Someone has a sense of irony: A well-known hacker forum dubbed Nulled.IO has been itself compromised, leading to the release of a treasure trove of pwn data.

Nulled.IO said that it has 473,700 registered users who share, sell and buy leaked content, stolen credentials, nulled software and software cracks. According to Risk Based Security, the database that was leaked includes critical information about the users of the forum, including 536,064 user accounts with 800,593 personal messages, 5,582 purchase records and 12,600 invoices, which seem to include donation records as well.

The accounts compromised all contain user names, email addresses, encrypted passwords, registration dates and registered with IP address. Other tables such as the nexus transactions table for VIP access payments contains User ID (which can be matched back to users in the customers table), payment methods, PayPal emails, dates and costs.

But that’s not all: Also, including are API credentials for three payment gateways (PayPal, Bitcoin, Paymentwall) as well as 907,162 authentication logs with geolocation data, member ID and IP addresses, and 256 user donation records that are able to be matched to the user with member ID.

It all means that by simply searching by email or IP addresses, it can become evident who might be behind various malicious deeds. “With this being such a comprehensive dump of data it offers up a very good set of information for matching a member ID to the attached invoices, transactions and other content such as member messages and posts,” RBS noted in a blog post.

Interestingly, RBS uncovered in its analysis that 19 accounts were registered with .gov based domains, including in the United States, Philippines, Brazil, Turkey and others. Eight of the government accounts were marked as “User Group 5,” which is for banned accounts, the rest were either activated members with posts or awaiting activation.

No word yet as to who hacked the hackers, but there’s a good bet on how it happened. Nulled.IO was running the IP.Board community forum commonly known as IP.b or IPb, along with an IP.Nexus Setup for its marketplace as well as VIP forums among a few other IPb plugins.  

“While we do not have confirmation as to how this breach occurred at this point, there have been over 4,500 vulnerabilities to date in 2016, and with 185 total vulnerabilities in IP.Board (92 of them do not have a CVE by the way!),” the researchers said. “It is not hard to make a guess.”

Photo © tadamichi

What’s Hot on Infosecurity Magazine?