nav search
Data Center Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
1.37bn records from somewhere to leak on Monday

Silver badge

Interesting

1.4 billion could be interesting to see who got dinged. It looks like ye olde password manager will be getting a workout tomorrow.

Are they all from one source?

0
0

Re: Interesting

A spam outfit, apparently.

https://mackeeper.com/blog/post/339-spammergate-the-fall-of-an-empire

Which means a password change won't be necessary. Credit protection, on the other hand...

3
0
Silver badge

1.47 billion?

That's... that's a LOT of records.

0
0
Silver badge

Re: 1.47 billion?

How many of them will be accurate?

When I register for public wifi, they get [randomletters]@theirdomain as the email address, and more random letters for my name. If they want an address, they get the address of the council dump. They may as well send the junk mail directly there rather than me directing it there via the bin.

2
0
Silver badge

It's just one Alien

They're finally outing Roger! ☺

4
0
FAIL

why would you believe a government "statement"

it could well be Aadhaar. In fact I hope it is -- better it happens now, when it has not yet taken root in all sorts of unrelated life (seriously, they want to make it mandatory for even buying TRAIN tickets online!) than a few years later, when the damage would be much much worse.

And the sooner the morons in charge realise this is a bloody landmine (or gold mine, depending on how you look at it), the better.

The security crowd has been screaming about "identification, not authentication" (or the less accurate but more understandable "biometrics are a userid, not a password") but no one has been listening.

Now they have (or will shortly have) an app that can draw money from your bank account with just that one factor -- a finger swipe. I'm advising friends and relations who have an Aadhaar linked bank account to keep only a minimum of money there, and put the rest in a completely different account -- preferably in a different bank -- without Aadhaar linkage. The sad part is that the lowest strata just don't have enough money to do this kind of thing, and they're the most at risk from a mass biometrics leak and misuse.

(Oh and I've also been told that the biometrics are safe and can't be faked; words like "liveness testing" have been bandied about. To which my response is "that's today's tech. It's an arms race and tomorrow the scene may be quite different, someone may figure out how to beat it".)

26
0
(Written by Reg staff)

Re: why would you believe a government "statement"

Why believe it? Because when a government is confident enough to put out a statement like that, it quadruples the ridicule it invites if proven incorrect. I assume the Indian government has little interest in blowing itself up!

5
0

Re: why would you believe a government "statement"

Governments have very little shame; the fear of ridicule is often an "individual" thing, not a collective thing.

Also, looking at the statement linked in the article, except a couple of points, the rest seem to be hinging on *regulatory* protections, (as opposed to, say, *technical* protections). This is akin to saying "murder is a crime". Sure it is, but it still happens, and it's not always caught either.

11
0
Silver badge

Re: why would you believe a government "statement"

You forget the stigma attached to 'losing face' in many societies.

In Japan people in the past have been known to take their own life to avoid this sort of thing.

In India people do not question orders given to them by their superiors even if they are clearly stupid.

The do this for fear of looking weak to their peers.

It will be interesting to see the data (or a snippet of it).

Then we need to keep an eye on who is being escorted from what buildings by the Polis.

1
0

Re: why would you believe a government "statement"

SteveD3 has confirmed it is not the Indian DB.

https://twitter.com/SteveD3/status/838321094146797569

2
0
Silver badge

Re: why would you believe a government "statement"

The sad part is that the lowest strata just don't have enough money to do this kind of thing, and they're the most at risk from a mass biometrics leak and misuse.

Well, they certainly don't have the money after the Indian government "demonetised" the 1000 and 500 rupee notes, in perhaps the most blatant act of confiscation by any (nominally) democratic government.

Although it does at least mean that being robbed is socially inclusive in India: Rich or poor, cash or digital, your money belongs to somebody else.

3
0
JLV
Silver badge

Re: why would you believe a government "statement"

It's early and I momentarily misread the above as

"a missing finger swipe"

0
0

Monday where?

It's already Monday in Japan.

1
0
Anonymous Coward

Vickery, of MacOS security software house MacKeeper

I'll correct that: Vickery, of controversial MacOS security software house MacKeeper. Don't install MacKeeper, kids. You don't need it. Do some research first. And especially avoid all the popups begging you to install it when you browse certain 'free' porn site collectives.

6
0

Re: Vickery, of MacOS security software house MacKeeper

Yeah I came to say the same: MacKeeper is 'security software' almost exclusively sold thorugh pop-ups & fake system alerts.

2
0
Anonymous Coward

Re: Vickery, of MacOS security software house MacKeeper

MacKeeper relates to "security software" in the way that p*rn mags relate to classic literature.

And that's an unfriendly comparison to p*rn mags.

3
0
Silver badge

Re: Vickery, of MacOS security software house MacKeeper

I had no idea that was even remotely legit - I thought it was a cryptolocker or something because of the adverts.

2
0

Re: Vickery, of MacOS security software house MacKeeper

Precisely. Please research a little about your sources for stories before publishing. MacKeeper is considered Malware by everyone I've heard or read on the subject in the Mac consulting community. See, for instance: https://www.consumeraffairs.com/news/lawsuit-challenges-mackeepers-clean-computer-claims-012114.html .

3
0
Paris Hilton

Re: Vickery, of MacOS security software house MacKeeper

Sounds like a dirty Mac...

0
0
Silver badge

My money's on Facebook

They're due for an exploit, I'm probably due to change the password I've used on it for 10 years, this would provide the nudge I need.

1
0
Silver badge

Re: My money's on Facebook

On the one hand, I don't want it to be Facebook or any of the big names, because that's a lot of innocent users affected...

On the other hand, I want it to be Facebook or any of the big names, because that's a lot of ignorant1 people who might learn a lesson.

1. Come on. I'll bet most of us reading this site know people who we endlessly try to convince they need more than just a single password across every website going, but who steadfastly refuse to listen. Not to mention the amount of data that's given to these sites unnecessarily.

6
0

Re: My money's on Facebook

hmmm.... my teenage kids spring to mind

0
0
Anonymous Coward

EXPORT Facebook_DB THEN email @NSA

Aww shit. I typed NAS by mistake and accidently sent a copy of the database to someones cloudy Dropbox account instead.

3
0
Anonymous Coward

Re: EXPORT Facebook_DB THEN email @NSA

"Aww shit. I typed NAS by mistake and accidently sent a copy of the database to someones cloudy Dropbox account instead."

Looks like I was right. According to the Mackeeper and CSO articles:

"I stumbled upon a suspicious, yet publicly exposed, collection of files. Someone had forgotten to put a password on this repository "

&

"accidentally exposed their entire operation to the public after failing to properly configure their Rsync backups."

Like I suggested - someone exporting a database and then sending it elsewhere without relevant protection to stop it from being easily read.

0
0
Silver badge

Google not in the list?

If Yahoo! has a billion users, surely Google also does?

1
0
Silver badge

"reducing the number of identities by 30,000."

I think you mean 30 millions.

0
0
Silver badge

I hope it's Yahoo!

They worked so hard to get that World Record, it would be harsh if someone else did worse.

11
0
Silver badge
Megaphone

Look closer to home

It's the account details of all the microsoft shills in El Regs forums.

11
16

Re: Look closer to home

I'm afraid you'll find there's only 1 troll with multiple accounts.

3
0
Silver badge

Re: Look closer to home

How would he (or we) find that?

0
0
Bronze badge

Re: Look closer to home

oh dear, someone hasn't mentioned Linux in this yet - lets slag off Microsoft

Its gets soooooooooooooooooooooooooooooooooooooooo tedious

10
2
Silver badge

It's the account details of all the microsoft shills in El Regs forums.

Seven down votes? Maybe there're mostly having a lie in. Oh, oh, that was almost a pun.

2
0
Silver badge

AOL

Just a guess ...

0
0
Anonymous Coward

Re: AOL

Are they still a thing?

1
0
Anonymous Coward

Re: AOL

Evidently, since our illustrious vice-president used a private AOL account to run state business and got it hacked in the process.

Until that, I hadn't heard of them in at least 5 years.

1
0
Silver badge
Joke

CoS smear list?

Because those bastards are hated far and wide...

0
0

It's a myisam database

Unlikely to be Microsoft then

0
0
Anonymous Coward

Small inaccuracy there: Tencent owns both WeChat and QQ

So all in all, they're sitting on *a lot* of records.

0
0

But seriously, it's obviously Yahoo.

1
0
Bronze badge

One of the clues given was "food" / "water" and "It's not what you think"

That's from the Twitter account of the person he's working with. That make me think of a large disaster relief provider like the International Red Cross. From the screenshot it's a MySQL database so you know, "free".

0
0
Silver badge

Re: One of the clues given was "food" / "water" and "It's not what you think"

Rivers contain water, Amazon is a river,..

"Food", though. Hrrrrrm. They do sell groceries online but surely they haven't 10^9 customers for that.

But then no food brand has a billion (registered) customers, either. McDonalds or KFC might concievably have that many customers but not registered. My guess is the "food and drink" clue is cryptic, like a crossword clue. "food" / "drink", in quotes...

DAMN! this is annoying me! Oh wel,l only 20 mins to go...

0
0
Silver badge

Re: One of the clues given was "food" / "water" and "It's not what you think"

But then no food brand has a billion (registered) customers, either. McDonalds or KFC might concievably have that many customers but not registered.

They might conceivably have that many customers, but I don't think that by any stretch of the imagination I'd consider them to be food

0
0
Bronze badge

Re: One of the clues given was "food" / "water" and "It's not what you think"

I was actually expecting an unsecured MongoDB yet again...

0
0
Trollface

Re: One of the clues given was "food" / "water" and "It's not what you think"

Tesco Clubcard. Its been going since the 90's and I know from when i worked for them, their windows network was horribly insecure. The Board of Directors would not be best pleased to know the truth, as they recently found out when their banking division was hacked.

0
0
Silver badge

"The only other nation with the potential for a database to contain 1.37bn identities is"

...every single one on the planet. For some reason the article is making the assumption that nations only ever hold details on their own citizens. Even ignoring all the spying that pretty much all countries get up to, every country with border controls (ie. all of them) has an entirely legitimate reason to hold information on people from anywhere in the world. Plus there are all kinds of legitimate data-sharing going on with the likes of patents, policing, and numerous other areas. How many people would 20 years of records from Heathrow airport be? (Spoiler - it's about 1.4 billion.)

So no, there isn't a short list of candidates at all - the list is basically any country or any company that deals with internationally transferred data. It's only a short list if you assume it must contain only citizens of a single country or customers of a single company. While that is often the case, there's no reason it must always be so.

3
0
Silver badge

entries != users

To me that screenshot indicates the DB contains 1.37 billions fields/entries. As any user DB most likely contains several fields per user the number of users would then NOT be 1.37 billion. (Though still a lot, unless it's got 1000s of fiels per user)

0
1
FAIL

Re: entries != users

it has 22 columns per row, there are 1.37 billion rows.

1
0
Stop

panic averted

looks like it was just some spammer's email list leaking (river city media) more here

7
0
Silver badge

Re: panic averted

Wow! Thanks for the link. Now, if only the named and linked companies who are legitimate do something about it, it could seriously damage RCM.

0
0
Silver badge
Pirate

So what's next?

So, according to MacKeeper this whole thing involves one huge list used by a group of spammers calling themselves River City Media (RCM). They abused servers and set up a network capable of sending out millions of spam messages.

What bothers me though is reading things like: "Led by known spammers Alvin Slocombe and Matt Ferris, RCM masquerades as a legitimate marketing firm". Known spammers?

A spammer these days is known to abuse network security in order to gain relays to send off all their mess. It's a known fact, even this article speaks about it, using hacking techniques in order to overload and mass send e-mail through legit mailservers.

But apart from detecting all this what are they going to do next? I mean, it's good to read that Spamhaus will be adding the whole RCM structure into their blacklists, but what about the culprits behind all this? Has law enforcement been involved, can the police actually do something, will they actually do something, what?

Although it is good news that MacKeeper opened up the lid of the can here I can't help wonder if this will only result in a temporary setback for these spammer guys. How else can you gain notoriety as a "known spammer" if it wasn't for the fact that you can simply continue what you do best?

Meanwhile our European overlords still haven't decided about the new cookie law reversal. Because yeah, obviously those cookies are far more intrusive than any of this.

3
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing