
Breached Data Indexer ‘Data Viper’ Hacked - todsacerdoti
https://krebsonsecurity.com/2020/07/breached-data-indexer-data-viper-hacked/
======
rshnotsecure
I had a look at some of the data posted about this leak between reporters and
researchers. A few highlights:

1\. The FBI does appear to have been a subscriber to Mr. Troia's services. Two
FBI emails to agents appear among the list of subscribers that is not very
big. Also Europol, Amazon, and the Dubai Police also appear...

2\. The MGM Grand appears to have grossly understated the amount of users who
were hacked in the 2019 breach. This hacker is claiming well over 100 million,
instead of the 10 million or so MGM claims.

3\. The most relevant paragraph I think is the below:

> DataViper contained several undisclosed breaches . MGM Grand Hotels is
> included in the dataset with 142 million entries and was imported by Vinny
> on November 30th 2019 . This number is very different to the 10.7 million
> number that they stated were affected [1] . This indicates that MGM
> knowingly misreported information regarding this data breach and that Vinny
> is aware of this misrepresentation . FiveStars is another data breach that
> is in DataViper but not publicly disclosed . It was imported in November
> 2019 . It is unclear where it was reported to them and they failed to notify
> their users or if Vinny did not notify FiveStars . The same is true of
> Zumiez.com (160 million), Avito.ru (30 million), Mamba.ru (13 million),
> MyVestige.com (11 million), LocateFamily.com (11 million), and others .

4\. I forked the entire list of domains hacked, provided by the original
reporter I believe at ZDNet, to here:
[https://gist.github.com/danvau7/337b0ac71db8c7298e712ed5ba3a...](https://gist.github.com/danvau7/337b0ac71db8c7298e712ed5ba3a76b4)

5\. Vinny Troia claims a PhD, but it comes from the not very well respected /
for-profit "Capella University" in the United States.

~~~
brownbat
That list has some big names on it.

> Troia said the people responsible for compromising his site are the same
> people who hacked the databases they are now selling on the dark web and
> claiming to have obtained exclusively from his service.

So he's saying that these guys successfully compromised all these domains
while he watched, but never did anything with the stolen info, waiting to
blame it all on an intrusion into his company... in retaliation for him
watching them steal it all in the first place?

That's some real Xanatos Gambit stuff right there. Maybe Troia lives in a
David Mamet film.

------
cantrevealname
The main thing I wanted to know is how they got hacked:

 _Troia said the intrusion into his service [was] because his developer
accidentally left his credentials exposed in documents explaining how
customers can use Data Viper’s application programming interface. “I will say
the irony of how they got in is absolutely amazing,” Troia said._

~~~
nominated1
> Smoke and mirrors, indeed. It’s entirely possible this incident is an
> elaborate and cynical PR stunt by Troia to somehow spring a trap on the bad
> guys.

That’s the juicy bit of the story. Has this all been staged?

------
joe_the_user
_The apparent breach at St. Louis, Mo. based Data Viper offers a cautionary
and twisted tale of what can happen when security researchers seeking to
gather intelligence about illegal activity online get too close to their prey
or lose sight of their purported mission._

Yeah, the discussion of the data the company kept gives the impression that
the only difference between Data Viper and a black hat data broker is that
Data Viper sold to "vetted" law enforcement and security researchers.

Now, what potential for lawlessness does that give law enforcement?

------
nelaboras
I pay taxes

Taxes go to FBI/Europol etc

Security services pay these shady data brokers with my taxes to access data

Shady data broker buys hacked data from criminals with my taxes

Cybercriminals live off my taxes.

Cybercriminals hack more sites, selling/leaking my data.

I don't know whether the ends justifies the means here, but it seems really
off that our security apparatus pays money to maintain a criminal ecosystem.
On the other hand once the data is available it would also be wrong not to use
it to catch pedophiles, mafia members, tax evaders, ...

------
pentestercrab
[https://intelx.io/?did=25626760-7371-4872-be87-68c350f7baac](https://intelx.io/?did=25626760-7371-4872-be87-68c350f7baac)

------
bigdaddy1998
I'm sure my data was in his data breach. I will join the suit

------
Flood
Who has the magnet link

------
bigdaddy1998
where is the class action against Data Viper

