Category Archives: data leak

The team behind the Joomla CMS discloses a data breach

Maintainers at the Joomla open-source content management system (CMS) announced a security breach that took place last week.

Last week a member of the Joomla Resources Directory (JRD) team left an unencrypted full backup of the JRD site ( on an unsecured Amazon Web Services S3 bucket operated by the company.

The company did not reveal is third-parties have found and accessed to the S3 bucket.

“JRD full site backups (unencrypted) were stored in a third-party company Amazon Web Services S3 bucket. The third-party company is owned by a former Team Leader, still Member of the JRD team at the time of the breach.” reads the data breach notification. “Known to the current Team Leader at the time of the breach. ( Each backup copy included a full copy of the website, including all the data.”

The backup contained details for approximatively 2,700 users who registered and created profiles on the JRD website.

The Joomla Resources Directory portal allows professionals and developers to advertise their services.

Joomla team is investigating the data leak said they are still investigating the incident. It is currently unclear if anyone found and download the data from the third-party company’s S3 server.

The Joomla team also carried out a full security audit of the portal.

“The audit also highlighted the presence of Super User accounts owned by individuals outside Open Source Matters,” continues the notification.

Data contained in the backup includes :

  • Full name
  • Business address
  • Business email address
  • Business phone number
  • Company URL
  • Nature of business
  • Encrypted password (hashed)
  • IP address
  • Newsletter subscription preferences

The data breach notification states that most of the data was public, because it was a public directory, anyway private data (unpublished, unapproved listings, tickets) was exposed in the breach.

The Joomla team is urging JRD users to change their password on the JRD portal and on other sites where they share the login credentials.

“Even if we don’t have any evidence about data access, we highly recommend people who have an account on the Joomla Resources Directory and use the same password (or combination of email address and password) on other services to immediately change their password for security reasons.” concludes the notification.

Pierluigi Paganini

(SecurityAffairs – data breach, hacking)

The post The team behind the Joomla CMS discloses a data breach appeared first on Security Affairs.

KingNull leaks DB of Daniel’s Hosting dark web hosting provider

Earlier this year a hacker breached Daniel’s Hosting, the largest free web hosting provider for dark web hidden services and now leaked its DB.

A threat actor has leaked the database of Daniel’s Hosting (DH), the largest free web hosting provider for dark web hidden services.

The hacker has stolen the data in March when he breached the hosting provider, almost 7,600 dark web portals have been taken offline following the security breach.

Daniel Winzen, a German software developer that operated the service, revealed that attackers accessed the backend of the hosting provider and deleted all the databases of the websites hosted by Daniel’s Hosting.

Winzen definitively shut down the service on March 26.

Today ZDNet reported that a hacker that goes online with the moniker ‘KingNull’ uploaded a copy of Daniel’s Hosting database on a file-hosting site.

“According to a cursory analysis of today’s data dump, the leaked data includes 3,671 email addresses, 7,205 account passwords, and 8,580 private keys for .onion (dark web) domains.” reported ZDNet.

Threat intelligence firm Under the Breach that analyzed the leaked database told ZDNet that the archive includes sensitive information on the owners and users of thousands of darknet sites. IP addresses of administrators and users were not included in the archive.

The database could allow law enforcement agencies to deanonymize administrators of dark web services that were involved in illegal activities.

Unfortunately, the leak could put in danger activists and dissidents that use the darknets to avoid the censorship applied by regimes.

In November 2018, Daniel’s Hosting provider was victims of another incident, attackers hacked the service and deleted 6,500+ sites.

ZDNet revealed that Winzen plans to launch again the hosting service in several months.

Pierluigi Paganini

(SecurityAffairs – dark web, hacking)

The post KingNull leaks DB of Daniel’s Hosting dark web hosting provider appeared first on Security Affairs.

Account credentials of 26+ million LiveJournal users leaked online

A data dump containing account information of over 26 million LiveJournal users has been offered for sale on dark web marketplaces and is now being shared for free on underground hacker forums. The data dump, supposedly originating from a 2014 LiveJournal breach, contains email addresses, usernames, profile URLs and plain text passwords of 33+ million users. After removing duplicates, Troy Hunt has added the dump to the Have I Been Pwned? service, which potentially affected … More

The post Account credentials of 26+ million LiveJournal users leaked online appeared first on Help Net Security.

Santander, one of the biggest European banks, was leaking sensitive data on their website

Santander Consumer Bank, the Belgian branch of the bank, had a misconfiguration in its blog domain that was allowing its files to be indexed.

Our new research recently discovered a security issue with Santander, the 5th largest bank in Europe and the 16th largest in the world. This Spanish multinational bank controls approximately $1.4 trillion in total assets globally, and has a $69.9 billion total market capitalization on the Euro Stoxx 50 stock market index.

Our analysts found that the Belgian branch, Santander Consumer Bank, has a misconfiguration in its blog domain, allowing its files to be indexed. 

When we looked through these files, we were able to see sensitive information, including an SQL dump and JSON file that can be used by hackers to potentially phish Santander’s bank customers.

We contacted Santander immediately when we discovered the misconfiguration on April 15.  Representatives from the leading European bank responded to our emails and seem to have fixed the issue, as we are presently unable to access the information.

A Santander Consumer spokesperson said:

“The incident highlighted relates specifically to the Santander Consumer Bank Belgium blog only. The blog contains only public information and articles, and therefore no customer data or critical information from the blog  has been compromised. Our security team has already fixed the issue to ensure the blog is secure.”

What exactly is wrong with the Santander website?

When we visited the Santander blog on its Belgian domain, we noticed that the www endpoint of the blog subdomain had a misconfiguration that allowed all of its files to be indexed by search engines

Included in these indexed files was an important info.json file that seemed to contain its Cloudfront API keys.

Cloudfront is a Content Display Network (CDN) created by Amazon. Websites use CDNs to host large files, such as videos, PDFs, large images and other static content, that would normally slow down their own websites. Because these large files are hosted on the CDNs instead, websites are faster for users.

If a hacker were to get a hold of Santander’s apparent Cloudfront API keys, they would be able to switch out the content hosted on Cloudfront with any other content

For example, if a PDF or Word document was hosted on Cloudfront, and this document contained sensitive information – such as what accounts a customer should send money to – then the hacker would be able to switch that document out with their own version. In that way, they’d be able to change the real account number to his own, and thereby steal the customer’s money.

If a static HTML file was hosted, then the hacker would be able to switch that out with an entire webpage, allowing them to create a phishing page to steal the user’s financial information, all while on Santander’s official Belgian domain.

How to protect yourself

On April 15, we notified Santander’s Belgian website of the misconfiguration, and on April 24 they responded and seem to have fixed the issue. Their CyberSecurity Team stated: “We take cyber security seriously and strive to maintain the highest security standards and best practices and welcome responsible disclosure attitudes in security researchers.”

When we checked for the misconfiguration again on April 27, we received the following message:


You don’t have permission to access this resource.

For Santander’s customers, as well as all other banking customers, we’d recommend that you always check the domain and subdomain that a suspicious bank email is sending you to. Make sure that the domain is the bank’s real domain, but also know that important financial information requests would never be hosted on the blog subdomain of a bank.

Editor’s note: this article was updated on May 19 to reflect new information in collaboration with BitSight that the keys may not have been active Cloudfront API keys at the time of our discovery.

Original post:

About the author: Bernard Meyer

Bernard Meyer is the Senior Researcher at CyberNews. He has a strong passion for security in popular software, maximizing privacy online, and keeping an eye on governments and corporations. He’s been featured in Fortune, Forbes, Wired, Mirror, TechRadar and more. You can usually find him on Twitter arguing with someone about something moderately important.

Pierluigi Paganini

(SecurityAffairs – Santander, hacking)

The post Santander, one of the biggest European banks, was leaking sensitive data on their website appeared first on Security Affairs.

129 million records of Russian car owners available on the dark web

A hacker is offering for sale on a dark web forum a database containing 129 million records of car owners in Moscow.

A hacker is attempting to sell on a dark web forum a database containing 129 million records of car owners in Moscow.

As a proof of the authenticity of the data, the hacker has leaked some anonymized data containing all the car details present in the traffic police registry.

The archive doesn’t include car owners’ details, exposed data includes the car’s make and model, place of registration, and the date of first and last registration.

The seller is offering the full version of the database for 0.3 BTC, which at the current rate is about $ 2677, paying 1.5 BTC ($ 13.386) it is possible to purchase information for “exclusive use.”

The accuracy of the data has been verified by Vedomosti media.

“Hackers posted a darknet database of Russian car owners, it includes 129 million positions from the traffic police registry. The authenticity of the information was confirmed by an employee of the car-sharing company, Vedomosti reports.” reads the website

“In the published data there is only anonymized information. These include: place and date of registration of the car, make and model. According to hackers, the full version also contains the name, address, date of birth, passport numbers of car owners and their contact information.”

According to the Russian blog Nora the Hedgehog, several portals where people can pay fines for violating COVID-19 quarantine are leaking their full names and passport numbers by simply providing the registration number of the ticket.

The worst news is that the portals don’t implement any protection against brute-force attacks, allowing attackers to try all the possible combinations of unique ticket numbers to retrieve personal details of the people that paid the fines.

Pierluigi Paganini

(SecurityAffairs – dark web, hacking)

The post 129 million records of Russian car owners available on the dark web appeared first on Security Affairs.

Indecent Exposure: 7TB of Adult Streaming User Data Unsecured on Server

Users on an adult streaming platform may have experienced the wrong kind of exposure when over seven terabytes of data was found on an unprotected database online. The damage done could include the dissemination of amateur pornographic user images. 

CAM4, a video streaming service primarily for adult amateur webcam content, reportedly left more than 11 million user records online on an unprotected Elasticsearch server. The error was unintentional. The data was discovered by researchers at Safety Detectives, a security review website.

Leaked customer data potentially included, but was not limited to, names, email addresses, countries of origin, gender preferences, sexual orientation, user names, credit card types, user conversations, payment logs, email correspondence transcripts, token information, password hashes, IP addresses.

“The fact that a large amount of email content came from popular domains…that offer supplementary services such as cloud-storage and business tools — means that compromised CAM4 users could potentially see huge volumes of personal data including photographs, videos and related business information leaked to hackers — assuming their accounts were eventually hacked via phishing as one example,” wrote Safety Detectives in a blog describing their findings.

The post Indecent Exposure: 7TB of Adult Streaming User Data Unsecured on Server appeared first on Adam Levin.