
The unattributable “db8151dd” data breach - iDemonix
https://www.troyhunt.com/the-unattributable-db8151dd-data-breach/
======
throwaway9993
Dataset for sale: [redacted]

Similar data structure: [https://stackblitz.com/edit/angular-
soswe4?file=src%2Fapp%2F...](https://stackblitz.com/edit/angular-
soswe4?file=src%2Fapp%2Fapp.component.ts)

Owner works for: [https://covve.com](https://covve.com)

Covve: This simple yet state-of-the-art app will revolutionise your business
relations like you've never seen.

Edit: Response:
[https://twitter.com/covve/status/1261287954967941120](https://twitter.com/covve/status/1261287954967941120)

~~~
amatecha
haha, I found exactly the same!
[https://twitter.com/amatecha/status/1261231178423517184](https://twitter.com/amatecha/status/1261231178423517184)

A user who replied to me also shared some anecdotes that indicate further
evidence towards that being the source (a private email address only used for
GSuite admin purposes, on her iOS device, upon which she had Covve installed)
-- thread here
[https://twitter.com/angelalgibson/status/1261314415829237761](https://twitter.com/angelalgibson/status/1261314415829237761)

~~~
amatecha
Covve has actually made a post and confirmed it was indeed their server that
was breached: [https://covve.com/opinion/security-
incident/](https://covve.com/opinion/security-incident/)

------
alexproto
Hi all, Alex here, CTO at Covve. Just got alerted of incident db8151dd in .
We’re investigating as top priority with our security experts what relation
this may have with Covve. We are monitoring the feedback in this blog and
would really appreciate any additional information you may have on this as we
investigate (alex@covve.com).

~~~
service_bus
It appears your organization left an elasticsearch database exposed to the
internet. This happens frequently due to poor configuration.

You're either going to have logs pointing to an IP that the individual used to
siphon your data, or nothing.

With an exposed elasticsearch database, you possibly had the data being
siphoned by many parties, and are only aware now because of this particular
incident.

If you have any operations regarding customers in Europe, you need to notify
your relevant Data Protection Authority

[https://edpb.europa.eu/about-
edpb/board/members_en](https://edpb.europa.eu/about-edpb/board/members_en)

You should also sign your engineers up for this course:

[https://www.elastic.co/training/specializations/elastic-
stac...](https://www.elastic.co/training/specializations/elastic-stack-
management/fundamentals-of-securing-elasticsearch)

~~~
michaelcampbell
As of this writing, I don't think it's been determined yet whose organization
this data came from, has it? All we have so far is a similarity in data
format/structure.

~~~
polote
Almost all their employees have their emails in the breach :

[https://covve.com/about](https://covve.com/about)

email format is <first_character_firstname>.<lastname>@covve.com

------
xenophonf
Troy's fighting the good fight, but it's so freaking depressing. If he has
hundreds of millions of records worth of personal data from just the breaches
that have been shared with him, what _else_ is out there in the hands of
criminals and corporations, neither of which have the public interest at
heart—only naked self interest in exploiting members of the public for as much
money as they can get?

~~~
tialaramex
Millions per day. This used to be part of one of my old jobs. A feed of stolen
PII would drop into our SFTP server every morning and we'd process it.

There's no honour among thieves so there were a bunch of duplicates pretending
to be "new" data, but yes there is a cottage industry of stealing smaller
quantities of PII, focused particularly on email addresses and passwords
(because those get re-used elsewhere) and credit card data (because you may be
able to either buy something with it or at least fool your way past an
immediate check on the card)

Do not re-use passwords. Like, that's the really easy "Wash your fucking
hands" level lesson here. As someone who isn't employed to work with this data
any more I'd say that 99% of the value isn't with like stolen passports
(though we did see some passport data) or even credit cards, but the
passwords.

If you hate that this is even a problem adopt and (if you write code or
specify software) implement WebAuthn. Nobody would steal passwords if they
didn't work. Not only does stealing WebAuthn credentials from a site's
database not work (they're public, the secret that's valuable never leaves the
user's FIDO dongle) crooks also wouldn't bother doing it, just like crooks
don't steal farm machinery to pull candy vending machines off the wall and
steal candy, whereas they do attack ATMs in exactly this way.

~~~
heavenlyblue
One of the cool things of having a password manager is that a password manager
can’t auto-complete the form for websites not sharing the domain with the old
one.

If you don’t know the password yourself, then phishing is less effective as
it’s quite rare that your password manager forgets that it needs to fill out
the form for you.

~~~
tialaramex
> ... then phishing is less effective as it’s quite rare

In practice users who're successfully being phished curse the password manager
and override it. Not always but often enough.

WebAuthn bakes the site-specificity into the protocol thus preventing you from
shooting yourself in the foot, even if you're convinced that's what you need
to do.

------
Nextgrid
For the people that use unique per-merchant e-mail addresses (like
someone+amazon@...), could you try some of those aliases on HaveIBeenPwned and
see which ones come up in this breach? That might shed some light onto its
origin.

~~~
deng
BTW, since many people don't seem to be aware of this: If you have your own
domain, you can get informed by haveibeenpwned automatically if _any_ mail
address from that domain is in a breach. All that is required is that you're
reachable on that domain through an address like 'postmaster'. This feature
can be found under 'domain search'. Since I use a new address for pretty much
anything this is very handy.

~~~
mysterypie
I have a large list of unique emails to test, but they are not from a domain I
control. It seems that I can test these through the API, but is there any
simpler way? I tried obvious things like putting a list of comma-separated
email addresses in the search form, but it doesn't work.

~~~
numpad0
Kinda lets adversaries figure which account used which password from which
breach and until which point

------
dgellow
> Why load it at all? Because every single time I ask about whether I should
> add data from an unattributable source, the answer is an overwhelming "yes"

To be fair, you’re asking your followers on twitter. That’s as biased as you
can have, I would be really surprised if the majority would say no.

~~~
SideburnsOfDoom
I got notified that I'm in this breach, and I honestly don't know what (if
anything) I can do with this information, which implies "If it's not
actionable, why bother telling me at all?"

Unique passwords per site, with a password manager? Done a long time ago.
Should I change some of them? OK, which ones? there are hundreds.

Details of what else about me is in this breech? Not clear where I can find
that.

~~~
ric2b
> Should I change some of them? OK, which ones? there are hundreds.

The ones that you know were pwned.

In theory you should change all passwords all the time, but this is a
practical middle-ground between that and "never".

~~~
SideburnsOfDoom
> The ones that you know were pwned.

Breaches like this one give no indication of which password is exposed, if
any.

AFAIK, there is nothing actionable.

------
numpad0
Could it be Google+? 3 of 3 my Gmail addresses associated with their profile
in some way were on it. Two of it I might have used to register a domain, but
the last one I used for G+ and one other website only and none of any friends
know this. Also I'm not in US or have US background, can't be from American
friends' phones or retailer CRM.

~~~
onefuncman
This seems like a winner to me. Iterating a graph along some association
explains the ordering mentioned in the blog post, and explains the breadth of
connectivity.

~~~
anoncareer0212
shocked to read this, you can immediately rule it out after reading the
article or looking at the sample data

------
londons_explore
> Recommended by Andie [redacted last name]. Arranged for carpenter apprentice
> Devon [redacted last name] to replace bathroom vanity top at [redacted
> street address], Vancouver, on 02 October 2007.

Given that, surely Troy can contact those people and ask "who knew this
info?". Not many people would know who replaced my bathroom vanity top...

~~~
pfundstein
Sure but perhaps Devon used a SAAS CRM system whose servers were breached...
Or maybe Andie posted on Devon's public Facebook page to organise the job.
Maybe it's just the LinkedIn leaks resurfacing, etc, etc.

------
typpo
I use a unique email on my personal domain for everything I sign up for.

The email contained in this breach is the one I provided to Facebook. It was
probably hacked or sold from one of the handful of apps I've connected with FB
over the years.

------
secfirstmd
One of my emails is currently on:

"Pwned on 19 breached sites and found 5 pastes.

If this is public breaches, I would guess in reality I can probably assume
it's on double/triple that for sites that have been breached but the data
hasn't been posted online.

------
wincent
I don't really get the utility of HIBP. The answer to the "have I been
pawned?" question is, of course, yes, multiple times. I think about the only
way to keep your email out of the hands of the bad guys is to not use it or
give it to anyone ever, at which point you don't need an email address.

What am I supposed to do whenever I'm involved in a new breach? Burn all my
accounts and start again?

~~~
koheripbal
If you use a password manager to give you unique passwords per site, then
these alerts allow you to only change the impacted site's passwords.

...though in a case like this it wouldn't help since we don't know the site.

------
polote
After how many breach of ES clusters, Elastic will decide to make their db not
accessible from external IP by default ?

~~~
zaat
That's the default for a long time already, but people actually want to use it
from outside the server and so they configure the listener.

[https://www.elastic.co/guide/en/elasticsearch/reference/6.3/...](https://www.elastic.co/guide/en/elasticsearch/reference/6.3/network.host.html)

~~~
outworlder
Even then, that also means that their machine has a public routable IP and can
answer incoming requests from the internet. My question is: why?

~~~
Sebb767
For many cloud VMs you spin up, it's the default. Having your servers behind a
NAT not only requires a lot more infrastructure knowledge (you need to know
you need it and manage access and routing), but also quite a bit more capital
investment; i.e. you need to set up a full infrastructure compared to spinning
up two+ VMs.

That's not to say it's a good thing, but I'm always surprised by the lack of
deeper network knowledge by a lot of engineers (and that's not meant degrading
- it's not something that you get for free when programming).

Lastly, you did probably start the project with a single VM - and at that
point it's far harder to say when the point comes to move to a NAT, even more
given that getting your second server is probably needed in a sudden spike and
the switch is a lot of work with no immediate payoff.

------
r1ch
Is this dump online anywhere? I got the notification from HIBP but it only
tells me my email address appeared and I'm curious how accurate the rest of
the data is.

~~~
esnard
> Back in Feb, Dehashed reached out to me with a massive trove of data

I guess searching on [https://www.dehashed.com/](https://www.dehashed.com/)
should give you some additional data.

~~~
Nextgrid
Surprisingly enough searching my pwned address in this breach doesn't bring it
up on Dehashed.

~~~
Operyl
The Dehashed indexer is extremely slow, according to their FAQ. Mine hasn’t
showed up there yet either, but I was informed by HIBP. Could still be
indexing I suppose.

------
guessmyname
> _Email addresses, Job titles, Names, Phone numbers, Physical addresses,
> Social media profiles_

I just got the email notification from HIBP (Have I Been Pwned) a few minutes
ago [1], but I am not worried about the compromised data because 1) my
personal email address, job title and phone number are all visible in my
resume which is publicly available in my website, I actually encourage people
_—mostly tech recruiters—_ to download the PDF and contact me via email or
phone all the time and 2) my physical address is irrelevant because I have
been moving houses every year for the last seven (7) years (even across
countries a couple of times. All the social media accounts I have are
completely empty, I just keep them around to get a hold on to my nickname.

I recently found, in my website’s HTTP logs, several requests from a web
crawler controlled by ZoomInfo [3] an American subscription-based software as
a service (SaaS) company that sells access to its database of information
about business people and companies to sales, marketing and recruiting
professionals. I was going to configure my firewall to block these requests
but then I remembered _—hey! my website only has information I am comfortable
sharing, so it doesn’t matter—_ but I’ve been thinking it is just a matter of
time before someone hacks one of their systems and leaks their database.

In my previous-previous job I found a fairly simple (persistent) XSS
vulnerability in BambooHR that allowed non-authorized users to access data
from all employees registered in the website including Social Security Numbers
(SSN). I told my boss and we immediately edited everything before migrating to
a different system. We never knew if BambooHR fixed the vulnerabilities and I
wouldn’t be surprised if the data was leaked before or after I found the
security hole.

Software security is such a Whac-A-Mole game, even if you get the budget to
conduct security audits on your code, there is always going to be a weak link
somewhere in the chain and that will be your doom. This is one of the many
reasons why I left that job as a Security Engineer, the other reasons were
Meltdown [3] and Spectre [4] they both made me realize I was fighting for a
lost cause.

[1] [https://haveibeenpwned.com/NotifyMe](https://haveibeenpwned.com/NotifyMe)

[2]
[https://en.wikipedia.org/wiki/ZoomInfo](https://en.wikipedia.org/wiki/ZoomInfo)

[3]
[https://en.wikipedia.org/wiki/Meltdown_%28security_vulnerabi...](https://en.wikipedia.org/wiki/Meltdown_%28security_vulnerability%29)

[4]
[https://en.wikipedia.org/wiki/Spectre_%28security_vulnerabil...](https://en.wikipedia.org/wiki/Spectre_%28security_vulnerability%29)

~~~
sirius87
The BambooHR theory is interesting. I looked up email addresses of co-workers
at a startup I worked for a few years ago (Jul'15-Jun'16). I was with them
earlier in 2012-13. My work email isn't there. But the slice of people between
Apr'13-Jul'15...all there. I guess we ran through a bunch of HR software
during the period, BambooHR being one of them. So either it's a subset of
BambooHR or its some other product a bunch of people at my workplace signed up
for.

~~~
nucleardog
Our company's been on BambooHR for 3-4 years now I think (me personally for a
little over two). Can't find any of our company's addresses in there. So
either partial or old if that's where it came from.

Others are saying they've found data from as recently as mid-2019, so could be
possible that the reason it's so hard to find _a_ source is that this is
multiple sources. Looking at this as a dump from some sort of contact manager,
could see this being a dump from some sales guy's CRM or something where he'd
imported multiple datasets as potential leads alongside his personal contacts.

------
throwaway834792
Based on a large (over 50 results) domain search for a company I work for, the
data I found was very old, circa 2014.

I know this because almost everyone in the domain search stopped working for
the company on or after 2014. Everyone else has worked at the company since
2013 or earlier.

~~~
koheripbal
The email notification doesnt list the emails impacted. Do you need to rerun
the full report to get the details?

~~~
Nextgrid
If you run the domain report manually on the HIBP website you get the actual
email addresses involved.

------
tru3_power
I did some quick searching for the dataformat included in the snippets from
the article. Lots of repos with stored secrets that match:

[https://github.com/acalvoa/SRID_CHANGER/blob/da367e68433b3fd...](https://github.com/acalvoa/SRID_CHANGER/blob/da367e68433b3fd8a3a04e679e3d74b45bc051e3/src/de/micromata/opengis/kml/v_2_2_0/xal/AdministrativeArea.java)

Stored secret:

[https://github.com/acalvoa/SRID_CHANGER/blob/master/config.p...](https://github.com/acalvoa/SRID_CHANGER/blob/master/config.properties)

Will look more into this later

~~~
amatecha
Ehhh, to me those seem like pretty common fields for any kind of contact data.
It doesn't have some of the more unusual or IMO implementation-specific fields
like "ShowableNonVisibleToOthers" or "PopulatedCleanNumber", for example.

------
killswitched
Some emails that turned up on my end: Dr. Dobbs and New Relic, although the
leaks occurred from parties to whom these sites had provided my data,
including at least unique email addresses.

------
forgotmypw23
The first thing that comes to mind is recaptcha with some overlays. they would
know almost every account you've registered for.

------
cm2187
Does elasticsearch have no authentication by default like mongodb or did
someone deliberately make it public?

~~~
tyingq
Fixed now, but this was a common sequence of events at one time:
[https://discuss.elastic.co/t/ransom-attack-on-
elasticsearch-...](https://discuss.elastic.co/t/ransom-attack-on-
elasticsearch-cluster/71310/18)

~~~
cm2187
My god, it looks even worse than no security by default. It gives you a false
sense of security then unlocks in your back when you are not watching.

------
wnevets
Am I the only one who dislikes some of those column names?

isNonIndividual, IsNonVisibleToOthers, ShowableNonVisibleToOthers

~~~
akersten
I can smell the enterprise ball-of-mud spaghetti code from here :)

------
wjnc
Question: It was my understanding that a lawyer could sue the cloud provider
for customer details of the cloud service in detail? It would be relevant
information in determining liability for leaking this PII.

------
voidmain0001
Firefox Monitor includes the db8151dd data:
[https://monitor.firefox.com/?breach=db8151dd](https://monitor.firefox.com/?breach=db8151dd)

~~~
yahelc
Probably because they include HIBP data [https://www.troyhunt.com/were-baking-
have-i-been-pwned-into-...](https://www.troyhunt.com/were-baking-have-i-been-
pwned-into-firefox-and-1password/)

------
jonykakarov
what I can't understand is that I never heard of this covve app neither most
of the affected users in the comment section on reddit or troy website or even
here as no one thought of it , and my email does exist on the breach, also the
data seem to be huge (103,150,616 rows/90GB)for an app that have about 100k
install, need some explanations here.

------
bluesign
It’s contact data from iOS and android phones probably scraped via some
malware app/apps

~~~
akmarinov
Contact data doesn’t contain CRM references

~~~
Nextgrid
Could it be that CRMs had their own contacts integrations which synced CRM
data into someone's contacts, where a different app then scraped it and got
pwned?

