Attacks/Breaches
3/13/2013
02:34 PM
50%
50%

Celeb Data Breach Traced To Credit Reporting Site

Tiger Woods and Mitt Romney are latest to see personal financial details published; credit agencies confirm hackers took data from AnnualCreditReport.com.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Experian, Equifax and TransUnion, the country's three biggest credit-reporting agencies, have confirmed that hackers fraudulently obtained copies of credit reports for celebrities and government officials.

"We are aware of recent media reports pertaining to unauthorized access to files belonging to high-profile individuals," read a statement released Tuesday by Equifax. "Equifax can confirm that fraudulent and unauthorized access to four consumer credit reports has occurred."

The information had allegedly been obtained via AnnualCreditReport.com, which was created in 2003 after Congress passed legislation requiring that each of the three credit bureaus offer -- to the approximately 200 million consumers whose information they track -- a free annual copy of their credit report. According to the Consumer Financial Protection Bureau, the service is used annually used by 16 million consumers.

According to a statement released by TransUnion, whoever obtained the credit reports would have had to provide a social security number as well as "considerable amounts" of personal information to trick the system into generating a credit report.

[ For more on recent high-profile information breaches, see Hackers Appear To Target Michelle Obama, FBI Director. ]

By Wednesday, the list of people who'd been "doxed" by having their personal financial details published to a website called Exposed.su included professional golfer Tiger Woods, U.S. Marshals Service director Stacia Hylton, and former presidential candidate Mitt Romney. This is in addition to the information published Monday and Tuesday pertaining to first lady Michelle Obama, Vice President Joe Biden, FBI director Robert Mueller, Attorney General Eric Holder and Los Angeles Police Department (LAPD) chief Charlie Beck, as well as celebrities Arnold Schwarzenegger, Beyonce, Jay-Z, Kim Kardashian and Paris Hilton.

A counter on Exposed.su showed that by Wednesday the website had been viewed nearly half a million times. According to statements released by Experian, Equifax and TransUnion, at least some of the information on the site -- which includes phone numbers, addresses and credit history -- is accurate.

President Obama Tuesday told ABC News that authorities are investigating the alleged breach. "We should not be surprised that if you've got hackers that want to dig in and devote a lot of resources, that they can access this information," Obama said. "Again, not sure how accurate but ... you've got websites out there that tell people's credit card info. That's how sophisticated they are."

Officials at the FBI and the U.S. Secret Service, reached by phone Tuesday, said that both of their agencies had begun related investigations. Likewise, the Los Angeles Police Department is investigating the disclosure of information relating to chief Charlie Beck, as well as any affected people inside their jurisdiction who request an investigation.

The information used by attackers to access the credit reports for Los Angeles Police Department officials -- involving social security numbers and some types of personal information -- was likely taken from a supposedly secure city employee database, according to Frank Preciado, assistant officer in charge at the LAPD online section, reported Politico.

Los Angeles police commander Andrew Smith, in a press conference, noted that it wasn't the first time that information about LAPD officials has been published online. "People get mad at us, go on the Internet and try to find information about us, and post it all on one site," he said. But as for this recent round of breaches, he said, "It's a creepy thing to do."

Who's responsible for creating the Exposed.su website? So far, that's not clear, though what's interesting is the choice of top-level domain name -- .su -- which refers to the Soviet Union, and which can still be used to register sites. "Using a .su domain to host tells me these guys probably weren't that stupid -- this is a statement not a prank I think," said the threat intelligence manager for Trustwave SpiderLabs, who goes by "Space Rogue," on Twitter.

Likewise, it's not clear how the site's administrator obtained the credit reports. "Many questions remain as to whether this was a straightforward hack, or if the hackers were able to gain unauthorized access to the data via other means," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "One possibility is that the hackers were able to scoop information up off the net about particular individual public figures, and then use that to successfully impersonate their targets and access credit histories."

More evidence that whoever is behind the site knows what they're doing came via an error page on the Exposed.su website, which revealed that the site's administrator had signed up for CloudFlare, which helps keep sites online in the event of heavy amounts of page browsing or even some types of distributed denial-of-service (DDoS) attacks. CloudFlare, interestingly, is no stranger to controversy -- the company chose to continue working with hacktivist group LulzSec in 2011 after the group began publishing information that it had obtained by hacking into Sony's servers. "While we will respect the laws of the jurisdictions in which we operate, we do not believe it is our decision to determine what content may and may not be published," said CloudFlare CEO Matthew Prince in a blog posted at the time. "That is a slippery slope down which we will not tread."

Regardless of how long the doxed financial information remains online -- and the site remained live Wednesday -- the episode has highlighted poor protections offered by restricting access to information based on social security numbers, Marc Maiffret, CTO of BeyondTrust, told U.S.News & World Report. "Pretty much everything comes falling down once you have a social security number," he said. "Once somebody has that, the person has the keys to everything."

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/18/2013 | 11:59:29 AM
re: Celeb Data Breach Traced To Credit Reporting Site
Hi Oolith -- The article was fully reported (and verified). As of Monday (today) the Exposed website appears to be unreachable. Perhaps by the time you visited, the credit reporting agencies had put blocks in place?
Oolith
50%
50%
Oolith,
User Rank: Apprentice
3/15/2013 | 1:55:25 AM
re: Celeb Data Breach Traced To Credit Reporting Site
Did you even go to the site and try it?? When I clicked through it was going directly to the credit reporting agency. This whole article is hogwash.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.