Attacks/Breaches
3/13/2013
02:34 PM
Connect Directly
RSS
E-Mail
50%
50%

Celeb Data Breach Traced To Credit Reporting Site

Tiger Woods and Mitt Romney are latest to see personal financial details published; credit agencies confirm hackers took data from AnnualCreditReport.com.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Experian, Equifax and TransUnion, the country's three biggest credit-reporting agencies, have confirmed that hackers fraudulently obtained copies of credit reports for celebrities and government officials.

"We are aware of recent media reports pertaining to unauthorized access to files belonging to high-profile individuals," read a statement released Tuesday by Equifax. "Equifax can confirm that fraudulent and unauthorized access to four consumer credit reports has occurred."

The information had allegedly been obtained via AnnualCreditReport.com, which was created in 2003 after Congress passed legislation requiring that each of the three credit bureaus offer -- to the approximately 200 million consumers whose information they track -- a free annual copy of their credit report. According to the Consumer Financial Protection Bureau, the service is used annually used by 16 million consumers.

According to a statement released by TransUnion, whoever obtained the credit reports would have had to provide a social security number as well as "considerable amounts" of personal information to trick the system into generating a credit report.

[ For more on recent high-profile information breaches, see Hackers Appear To Target Michelle Obama, FBI Director. ]

By Wednesday, the list of people who'd been "doxed" by having their personal financial details published to a website called Exposed.su included professional golfer Tiger Woods, U.S. Marshals Service director Stacia Hylton, and former presidential candidate Mitt Romney. This is in addition to the information published Monday and Tuesday pertaining to first lady Michelle Obama, Vice President Joe Biden, FBI director Robert Mueller, Attorney General Eric Holder and Los Angeles Police Department (LAPD) chief Charlie Beck, as well as celebrities Arnold Schwarzenegger, Beyonce, Jay-Z, Kim Kardashian and Paris Hilton.

A counter on Exposed.su showed that by Wednesday the website had been viewed nearly half a million times. According to statements released by Experian, Equifax and TransUnion, at least some of the information on the site -- which includes phone numbers, addresses and credit history -- is accurate.

President Obama Tuesday told ABC News that authorities are investigating the alleged breach. "We should not be surprised that if you've got hackers that want to dig in and devote a lot of resources, that they can access this information," Obama said. "Again, not sure how accurate but ... you've got websites out there that tell people's credit card info. That's how sophisticated they are."

Officials at the FBI and the U.S. Secret Service, reached by phone Tuesday, said that both of their agencies had begun related investigations. Likewise, the Los Angeles Police Department is investigating the disclosure of information relating to chief Charlie Beck, as well as any affected people inside their jurisdiction who request an investigation.

The information used by attackers to access the credit reports for Los Angeles Police Department officials -- involving social security numbers and some types of personal information -- was likely taken from a supposedly secure city employee database, according to Frank Preciado, assistant officer in charge at the LAPD online section, reported Politico.

Los Angeles police commander Andrew Smith, in a press conference, noted that it wasn't the first time that information about LAPD officials has been published online. "People get mad at us, go on the Internet and try to find information about us, and post it all on one site," he said. But as for this recent round of breaches, he said, "It's a creepy thing to do."

Who's responsible for creating the Exposed.su website? So far, that's not clear, though what's interesting is the choice of top-level domain name -- .su -- which refers to the Soviet Union, and which can still be used to register sites. "Using a .su domain to host tells me these guys probably weren't that stupid -- this is a statement not a prank I think," said the threat intelligence manager for Trustwave SpiderLabs, who goes by "Space Rogue," on Twitter.

Likewise, it's not clear how the site's administrator obtained the credit reports. "Many questions remain as to whether this was a straightforward hack, or if the hackers were able to gain unauthorized access to the data via other means," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "One possibility is that the hackers were able to scoop information up off the net about particular individual public figures, and then use that to successfully impersonate their targets and access credit histories."

More evidence that whoever is behind the site knows what they're doing came via an error page on the Exposed.su website, which revealed that the site's administrator had signed up for CloudFlare, which helps keep sites online in the event of heavy amounts of page browsing or even some types of distributed denial-of-service (DDoS) attacks. CloudFlare, interestingly, is no stranger to controversy -- the company chose to continue working with hacktivist group LulzSec in 2011 after the group began publishing information that it had obtained by hacking into Sony's servers. "While we will respect the laws of the jurisdictions in which we operate, we do not believe it is our decision to determine what content may and may not be published," said CloudFlare CEO Matthew Prince in a blog posted at the time. "That is a slippery slope down which we will not tread."

Regardless of how long the doxed financial information remains online -- and the site remained live Wednesday -- the episode has highlighted poor protections offered by restricting access to information based on social security numbers, Marc Maiffret, CTO of BeyondTrust, told U.S.News & World Report. "Pretty much everything comes falling down once you have a social security number," he said. "Once somebody has that, the person has the keys to everything."

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/18/2013 | 11:59:29 AM
re: Celeb Data Breach Traced To Credit Reporting Site
Hi Oolith -- The article was fully reported (and verified). As of Monday (today) the Exposed website appears to be unreachable. Perhaps by the time you visited, the credit reporting agencies had put blocks in place?
Oolith
50%
50%
Oolith,
User Rank: Apprentice
3/15/2013 | 1:55:25 AM
re: Celeb Data Breach Traced To Credit Reporting Site
Did you even go to the site and try it?? When I clicked through it was going directly to the credit reporting agency. This whole article is hogwash.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio