Jeremy Kirk Profile picture
Sep 23 12 tweets 8 min read
Someone is claiming to have the stolen Optus account data for 11.2 million users. They want $1 million in the Monero cryptocurrency from Optus to not sell the data to other people. Otherwise, they say they will sell it in parcels. #optus #auspol #infosec #OptusHack
The person who runs this data market where the Optus data was posted says the data is real (I have not verified the data yet). The person writes that "optusdata" showed the script used to scrape the data and passed along info about the vulnerable endpoint. #infosec #OptusHack
I've run 10 email addresses from the second sample of the Optus data through @haveibeenpwned. Nine have been in multiple data breaches before, but one is unique to this sample. That's a strong sign this leak is the real deal.
@haveibeenpwned I just ran 13 email addresses from the first batch of sample data from the alleged Optus leak through @haveibeenpwned. Six come back as unique (not in another breach indexed in HIBP). Again, another strong sign that the Optus data is real. #OptusHack #infosec #auspol @troyhunt
I queried Optus. Optus says: "We are investigating the legitimacy of this."
I've literally found someone down the road from me in the sample data. When I get out of my bathrobe and stop tweeting, I'll go down there and see if I can find the person to confirm her data.
I found the person in the data set. She was working in her front yard. She wants to stay unnamed but confirmed she is a former Optus customer and that her data is accurate. We still need a confirm from Optus on the data but this is all lining up. #OptusHack #auspol #infosec
I explained who I was and handed her a printout of her data (as an aside, kind of a weird experience - shoe leather journalism meets cyberspace). She said it was kind of scary. She hadn't been contacted by Optus yet. #OptusHack #auspol
Here's another sign the data may have come from Optus. There are email addresses like this: NO_EMAIL82320714@OPTUS.COM.AU. Those addies are in records where the person has no other email, which suggests Optus assigned an address if none was supplied. Just my guess though.
I haven't checked all of the NO_EMAIL email addresses, but none so far are turning up in @haveibeenpwned.
I reached the Optus hacker. The person had a fair bit to say. I've started a new thread here. #OptusHack #infosec #auspol
Here's a tidy news story that wraps up all my Optus data breach tweets. I've tried to make this understandable for everyone. It's important we understand how our personal data is at risk if not protected.
bankinfosecurity.com/optus-under-1-…
#OptusHack #auspol #infosec

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jeremy Kirk

Jeremy Kirk Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Jeremy_Kirk

Sep 24
UPDATE: I reached the person who claims to have hacked Optus. I've also been contacted by a second, separate source who says the hacker's version of events is approximately correct. Here's what they said. #OptusHack #infosec #auspol
The Optus hacker says they accessed an unauthenticated API endpoint. This means they didn't have to login. The person says: "No authenticate needed. That is bad access control. All open to internet for any one to use." #infosec #auspol Image
The API endpoint was api[dot]optus.com.au. Yes, that looks weird, but the hacker says it worked otherwise a DNS error occurred. That API is now offline, so there is no more risk for Optus. It was used in part to let Optus customers access their own data. Image
Read 5 tweets
Sep 6
I broke this story about Instagram exposing kids' contact details in June 2019 based on the terrific research by @davidjstier (original story in next tweet). Now, Ireland's data protection authority will fine IG a record €405 million over it. #infosec washingtonpost.com/business/2022/…
The situation was essentially an intentional data breach. It boggled the mind. Here's the original story: Instagram Shows Kids' Contact Details in Plain Sight
databreachtoday.com/instagram-show…
The story was crazy. Instagram let minors covert their profiles to business profiles, which then automatically exposed details such as email address, phone numbers. Plus, all photos became automatically public.
Read 4 tweets
Sep 5
Bypassing MFA at a big scale may be possible with "EvilProxy" a cybercriminal service discovered by @RESecurity. It uses a reverse proxy to nab session cookies, a technique that's been used before but now is wrapped in a slick phishing kit. Yikes. #infosec databreachtoday.com/cybercriminal-…
It is already being used against employees at Fortune 500 companies, says Resecurity's Gene Yoo. It targets services including Apple, Microsoft, Dropbox, LinkedIn, Yandex, Facebook, Twitter, Yahoo, Wordpress.
It's also capable of phishing players in the software supply chain, including GitHub, the Python Package Index, RubyGems and NPMJS. Suggests it could be aimed at helping crims tamper or install backdoors in software packages.
Read 4 tweets
Sep 12, 2021
There may be more clarity around the mystery surrounding how the decryption key for the ransomware used in the Kaseya attack leaked. It kicked off with @FlashpointIntel recounting a confusing post on Exploit that implied law enforcement was involved in gaining the key.
The original post on Exploit by REvil said the decryption key "was leaked by law enforcement agencies due to human error during the key generation process." It was speculated US or Russian LE might have had something to do with the key's appearance.
Two days ago, REvil posted again on Exploit. This time, it says it erroneously generated the key and then passed that on. Per @FlashpointIntel's translation: flashpoint-intel.com/blog/revil-is-…
Read 9 tweets
Apr 16, 2021
The Shanghai PSB database is so odd. Aside from Uyghur tracking, personal info of random Westerners who entered China, there are mundane police blotter reports -- an accident involving a van and a bicycle (see screenshot), theft of old power meters. Why is it all mashed together?
And why is the _index for all this stuff labelled in English "uighurterrorist" when literally everything else - except for Westerner names who crossed the border - is in Mandarin?
There has been excellent reporting by @seanrubinsztein and @hui_echo about who is in the database. This may be unanswerable, but how does data from at least two Chinese security agencies end up in an open Elasticsearch database on Alibaba's cloud where anyone could find it?
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(