back to article 1.37bn records from somewhere to leak on Monday

“Data breach hunter” Chris Vickery has claimed that he will shortly reveal a “1.4 billion identity leak”. 1.4 billion identity leak story incoming Monday morning. Thanks go to @SteveD3 (and someone else) for cooperating on investigation. — Chris Vickery (@VickerySec) March 3, 2017 He later offered a teaser of the leak, …

  1. a_yank_lurker

    Interesting

    1.4 billion could be interesting to see who got dinged. It looks like ye olde password manager will be getting a workout tomorrow.

    Are they all from one source?

    1. ElReg!comments!Pierre

      Re: Interesting

      A spam outfit, apparently.

      https://mackeeper.com/blog/post/339-spammergate-the-fall-of-an-empire

      Which means a password change won't be necessary. Credit protection, on the other hand...

  2. ecofeco Silver badge

    1.47 billion?

    That's... that's a LOT of records.

    1. katrinab Silver badge

      Re: 1.47 billion?

      How many of them will be accurate?

      When I register for public wifi, they get [randomletters]@theirdomain as the email address, and more random letters for my name. If they want an address, they get the address of the council dump. They may as well send the junk mail directly there rather than me directing it there via the bin.

  3. Captain DaFt

    It's just one Alien

    They're finally outing Roger! ☺

  4. Sitaram Chamarty
    FAIL

    why would you believe a government "statement"

    it could well be Aadhaar. In fact I hope it is -- better it happens now, when it has not yet taken root in all sorts of unrelated life (seriously, they want to make it mandatory for even buying TRAIN tickets online!) than a few years later, when the damage would be much much worse.

    And the sooner the morons in charge realise this is a bloody landmine (or gold mine, depending on how you look at it), the better.

    The security crowd has been screaming about "identification, not authentication" (or the less accurate but more understandable "biometrics are a userid, not a password") but no one has been listening.

    Now they have (or will shortly have) an app that can draw money from your bank account with just that one factor -- a finger swipe. I'm advising friends and relations who have an Aadhaar linked bank account to keep only a minimum of money there, and put the rest in a completely different account -- preferably in a different bank -- without Aadhaar linkage. The sad part is that the lowest strata just don't have enough money to do this kind of thing, and they're the most at risk from a mass biometrics leak and misuse.

    (Oh and I've also been told that the biometrics are safe and can't be faked; words like "liveness testing" have been bandied about. To which my response is "that's today's tech. It's an arms race and tomorrow the scene may be quite different, someone may figure out how to beat it".)

    1. Simon Sharwood, Reg APAC Editor (Written by Reg staff)

      Re: why would you believe a government "statement"

      Why believe it? Because when a government is confident enough to put out a statement like that, it quadruples the ridicule it invites if proven incorrect. I assume the Indian government has little interest in blowing itself up!

      1. Sitaram Chamarty

        Re: why would you believe a government "statement"

        Governments have very little shame; the fear of ridicule is often an "individual" thing, not a collective thing.

        Also, looking at the statement linked in the article, except a couple of points, the rest seem to be hinging on *regulatory* protections, (as opposed to, say, *technical* protections). This is akin to saying "murder is a crime". Sure it is, but it still happens, and it's not always caught either.

      2. Steve Davies 3 Silver badge

        Re: why would you believe a government "statement"

        You forget the stigma attached to 'losing face' in many societies.

        In Japan people in the past have been known to take their own life to avoid this sort of thing.

        In India people do not question orders given to them by their superiors even if they are clearly stupid.

        The do this for fear of looking weak to their peers.

        It will be interesting to see the data (or a snippet of it).

        Then we need to keep an eye on who is being escorted from what buildings by the Polis.

    2. DaLo

      Re: why would you believe a government "statement"

      SteveD3 has confirmed it is not the Indian DB.

      https://twitter.com/SteveD3/status/838321094146797569

    3. Anonymous Coward
      Anonymous Coward

      Re: why would you believe a government "statement"

      The sad part is that the lowest strata just don't have enough money to do this kind of thing, and they're the most at risk from a mass biometrics leak and misuse.

      Well, they certainly don't have the money after the Indian government "demonetised" the 1000 and 500 rupee notes, in perhaps the most blatant act of confiscation by any (nominally) democratic government.

      Although it does at least mean that being robbed is socially inclusive in India: Rich or poor, cash or digital, your money belongs to somebody else.

    4. JLV

      Re: why would you believe a government "statement"

      It's early and I momentarily misread the above as

      "a missing finger swipe"

  5. DanceMan

    Monday where?

    It's already Monday in Japan.

  6. Anonymous Coward
    Anonymous Coward

    Vickery, of MacOS security software house MacKeeper

    I'll correct that: Vickery, of controversial MacOS security software house MacKeeper. Don't install MacKeeper, kids. You don't need it. Do some research first. And especially avoid all the popups begging you to install it when you browse certain 'free' porn site collectives.

    1. Neil 8

      Re: Vickery, of MacOS security software house MacKeeper

      Yeah I came to say the same: MacKeeper is 'security software' almost exclusively sold thorugh pop-ups & fake system alerts.

      1. Anonymous Coward
        Anonymous Coward

        Re: Vickery, of MacOS security software house MacKeeper

        MacKeeper relates to "security software" in the way that p*rn mags relate to classic literature.

        And that's an unfriendly comparison to p*rn mags.

      2. Anonymous Coward
        Anonymous Coward

        Re: Vickery, of MacOS security software house MacKeeper

        I had no idea that was even remotely legit - I thought it was a cryptolocker or something because of the adverts.

      3. Joe Gurman

        Re: Vickery, of MacOS security software house MacKeeper

        Precisely. Please research a little about your sources for stories before publishing. MacKeeper is considered Malware by everyone I've heard or read on the subject in the Mac consulting community. See, for instance: https://www.consumeraffairs.com/news/lawsuit-challenges-mackeepers-clean-computer-claims-012114.html .

    2. akeane
      Paris Hilton

      Re: Vickery, of MacOS security software house MacKeeper

      Sounds like a dirty Mac...

  7. Anonymous Coward
    Anonymous Coward

    My money's on Facebook

    They're due for an exploit, I'm probably due to change the password I've used on it for 10 years, this would provide the nudge I need.

    1. VinceH

      Re: My money's on Facebook

      On the one hand, I don't want it to be Facebook or any of the big names, because that's a lot of innocent users affected...

      On the other hand, I want it to be Facebook or any of the big names, because that's a lot of ignorant1 people who might learn a lesson.

      1. Come on. I'll bet most of us reading this site know people who we endlessly try to convince they need more than just a single password across every website going, but who steadfastly refuse to listen. Not to mention the amount of data that's given to these sites unnecessarily.

      1. GrumpyOldMan

        Re: My money's on Facebook

        hmmm.... my teenage kids spring to mind

  8. Anonymous Coward
    Anonymous Coward

    EXPORT Facebook_DB THEN email @NSA

    Aww shit. I typed NAS by mistake and accidently sent a copy of the database to someones cloudy Dropbox account instead.

    1. Anonymous Coward
      Anonymous Coward

      Re: EXPORT Facebook_DB THEN email @NSA

      "Aww shit. I typed NAS by mistake and accidently sent a copy of the database to someones cloudy Dropbox account instead."

      Looks like I was right. According to the Mackeeper and CSO articles:

      "I stumbled upon a suspicious, yet publicly exposed, collection of files. Someone had forgotten to put a password on this repository "

      &

      "accidentally exposed their entire operation to the public after failing to properly configure their Rsync backups."

      Like I suggested - someone exporting a database and then sending it elsewhere without relevant protection to stop it from being easily read.

  9. ratfox

    Google not in the list?

    If Yahoo! has a billion users, surely Google also does?

  10. ratfox

    "reducing the number of identities by 30,000."

    I think you mean 30 millions.

  11. Potemkine Silver badge

    I hope it's Yahoo!

    They worked so hard to get that World Record, it would be harsh if someone else did worse.

  12. Bob Vistakin
    Megaphone

    Look closer to home

    It's the account details of all the microsoft shills in El Regs forums.

    1. Alumoi Silver badge

      Re: Look closer to home

      I'm afraid you'll find there's only 1 troll with multiple accounts.

      1. Tom Paine

        Re: Look closer to home

        How would he (or we) find that?

    2. wallaby

      Re: Look closer to home

      oh dear, someone hasn't mentioned Linux in this yet - lets slag off Microsoft

      Its gets soooooooooooooooooooooooooooooooooooooooo tedious

    3. CAPS LOCK

      It's the account details of all the microsoft shills in El Regs forums.

      Seven down votes? Maybe there're mostly having a lie in. Oh, oh, that was almost a pun.

  13. jake Silver badge

    AOL

    Just a guess ...

    1. Anonymous Coward
      Anonymous Coward

      Re: AOL

      Are they still a thing?

      1. Anonymous Coward
        Anonymous Coward

        Re: AOL

        Evidently, since our illustrious vice-president used a private AOL account to run state business and got it hacked in the process.

        Until that, I hadn't heard of them in at least 5 years.

  14. Winkypop Silver badge
    Joke

    CoS smear list?

    Because those bastards are hated far and wide...

  15. TrevorH

    It's a myisam database

    Unlikely to be Microsoft then

  16. Anonymous Coward
    Anonymous Coward

    Small inaccuracy there: Tencent owns both WeChat and QQ

    So all in all, they're sitting on *a lot* of records.

  17. viscount

    But seriously, it's obviously Yahoo.

  18. Amos1

    One of the clues given was "food" / "water" and "It's not what you think"

    That's from the Twitter account of the person he's working with. That make me think of a large disaster relief provider like the International Red Cross. From the screenshot it's a MySQL database so you know, "free".

    1. Tom Paine

      Re: One of the clues given was "food" / "water" and "It's not what you think"

      Rivers contain water, Amazon is a river,..

      "Food", though. Hrrrrrm. They do sell groceries online but surely they haven't 10^9 customers for that.

      But then no food brand has a billion (registered) customers, either. McDonalds or KFC might concievably have that many customers but not registered. My guess is the "food and drink" clue is cryptic, like a crossword clue. "food" / "drink", in quotes...

      DAMN! this is annoying me! Oh wel,l only 20 mins to go...

      1. Hans Neeson-Bumpsadese Silver badge

        Re: One of the clues given was "food" / "water" and "It's not what you think"

        But then no food brand has a billion (registered) customers, either. McDonalds or KFC might concievably have that many customers but not registered.

        They might conceivably have that many customers, but I don't think that by any stretch of the imagination I'd consider them to be food

    2. NonSSL-Login

      Re: One of the clues given was "food" / "water" and "It's not what you think"

      I was actually expecting an unsecured MongoDB yet again...

      1. tr1ck5t3r
        Trollface

        Re: One of the clues given was "food" / "water" and "It's not what you think"

        Tesco Clubcard. Its been going since the 90's and I know from when i worked for them, their windows network was horribly insecure. The Board of Directors would not be best pleased to know the truth, as they recently found out when their banking division was hacked.

  19. Cuddles

    "The only other nation with the potential for a database to contain 1.37bn identities is"

    ...every single one on the planet. For some reason the article is making the assumption that nations only ever hold details on their own citizens. Even ignoring all the spying that pretty much all countries get up to, every country with border controls (ie. all of them) has an entirely legitimate reason to hold information on people from anywhere in the world. Plus there are all kinds of legitimate data-sharing going on with the likes of patents, policing, and numerous other areas. How many people would 20 years of records from Heathrow airport be? (Spoiler - it's about 1.4 billion.)

    So no, there isn't a short list of candidates at all - the list is basically any country or any company that deals with internationally transferred data. It's only a short list if you assume it must contain only citizens of a single country or customers of a single company. While that is often the case, there's no reason it must always be so.

  20. imanidiot Silver badge

    entries != users

    To me that screenshot indicates the DB contains 1.37 billions fields/entries. As any user DB most likely contains several fields per user the number of users would then NOT be 1.37 billion. (Though still a lot, unless it's got 1000s of fiels per user)

    1. Spoonguard
      FAIL

      Re: entries != users

      it has 22 columns per row, there are 1.37 billion rows.

  21. Spoonguard
    Stop

    panic averted

    looks like it was just some spammer's email list leaking (river city media) more here

    1. John Brown (no body) Silver badge

      Re: panic averted

      Wow! Thanks for the link. Now, if only the named and linked companies who are legitimate do something about it, it could seriously damage RCM.

  22. Anonymous Coward
    Pirate

    So what's next?

    So, according to MacKeeper this whole thing involves one huge list used by a group of spammers calling themselves River City Media (RCM). They abused servers and set up a network capable of sending out millions of spam messages.

    What bothers me though is reading things like: "Led by known spammers Alvin Slocombe and Matt Ferris, RCM masquerades as a legitimate marketing firm". Known spammers?

    A spammer these days is known to abuse network security in order to gain relays to send off all their mess. It's a known fact, even this article speaks about it, using hacking techniques in order to overload and mass send e-mail through legit mailservers.

    But apart from detecting all this what are they going to do next? I mean, it's good to read that Spamhaus will be adding the whole RCM structure into their blacklists, but what about the culprits behind all this? Has law enforcement been involved, can the police actually do something, will they actually do something, what?

    Although it is good news that MacKeeper opened up the lid of the can here I can't help wonder if this will only result in a temporary setback for these spammer guys. How else can you gain notoriety as a "known spammer" if it wasn't for the fact that you can simply continue what you do best?

    Meanwhile our European overlords still haven't decided about the new cookie law reversal. Because yeah, obviously those cookies are far more intrusive than any of this.

    1. DaLo

      Re: So what's next?

      " Has law enforcement been involved, can the police actually do something, will they actually do something, what?"

      From the article:

      Law enforcement was informed about the breach and the questionable activities it exposed. However, we cannot discuss those elements, because the agencies involved cannot comment on pending or ongoing investigations.

    2. uncommon_sense
      Thumb Down

      The Man or The Message?

      Where are your sympathies:

      A Spammer, or a notorious ScareWare Pusher?

      This case sounds like:

      Pot, meet Enormously Huge Steam Locomotive

  23. wallyhall

    Full story (published Monday)

    It's RCM.

    <quote>At its core, RCM is a marketing firm that does email and SMS campaigns. While some of their work is legit, other campaigns ran by the company are questionable to say the least.</quote>

    Link to full story: http://www.csoonline.com/article/3176433/security/spammers-expose-their-entire-operation-though-bad-backups.html#tk.twt_cso

  24. MaxM

    Food/Drink

    APPLE?

  25. Paul Hovnanian Silver badge

    1.37 Billion ...

    ... upvotes attached to a comment about poor database security?

  26. Anonymous Coward
    Anonymous Coward

    I have no doubt some of my hundreds of disposable email addresses are on this list.

    I'd love to see the list so I can search for my emails and then block them. However can't imagine they'd simply release the list as that would be a little counter productive.

  27. Unbelievable!

    a bit more detailed article

    http://www.csoonline.com/article/3176433/security/spammers-expose-their-entire-operation-through-bad-backups.html?page=2

  28. Anonymous Coward
    Anonymous Coward

    The Answer is...

    https://www.theregister.co.uk/2017/03/06/radioshack_bankruptcy_savior_bankrupt/

    It's the dump from the Radio Shack Customer Database of personal info gathered by their salespeople for every transaction since 1921! I'm in there, but I did use fake addresses from time to time. Okay, every time.

    It HAS to be!!1! :P

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like