Jeremy Kirk Profile picture
Oct 17 12 tweets 8 min read
Someone is claiming responsibility for the recent hack of MyDeal, the online marketplace owned by Aussie grocery Woolworths Group. The price for the data is at $600. CAUTION: I haven't verified the data yet or if this is legit. #infosec #auspol
To recap, Woolworths said on Friday that 2.2 million people were affected after its CRM system was accessed. For 1.2 million, only email was exposed. For the rest, names, email addresses, phone numbers, delivery addresses, sometimes birth dates. PR here: woolworthsgroup.com.au/au/en/media/la…
This is the first screenshot that the person claims is proof of access to MyDeal's AWS. Sean Senvirtne is the founder and CEO of MyDeal. Anyone have thoughts on what this may or may not show? #infosec
The person also published this screenshot on Saturday, writing "will leak some of the data soon." Seems to show access to MyDeal's Atlassian. URL is mydeal.atlassian[dot]net. Ironically what's open is the cyber security policy and breach response wiki. #auspol
@woolworths
Woolworth's media team says they're unlikely to have a comment today on this MyDeal development but probably will by tomorrow morning. #auspol
The attacker shared with me a network infrastructure map for Woolworths MyDeal. It's too sensitive to post a screenshot. It's a complex diagram of how MyDeal is put together, from SaaS services, e-commerce systems, payments, dev systems to the CRM system that was hacked.
The MyDeal attacker says they're only asking $600 for the data because it's not that valuable to cyber criminals. This is right because there's just so much data like this already out there (there's no passport/DL numbers, financial info or passwords in the data).
The Woolworths MyDeal attacker also says they sent an email to around a dozen people who work at MyDeal asking for $20K in exchange for a promise to delete the data. It doesn't appear that MyDeal responded. #infosec #auspol #databreaches
Last tweet before I sign off here. The Woolworths MyDeal attacker says they also took source code from MyDeal's Bitbucket. Additionally, they did a bit of trolling in MyDeal's Zendesk customer support system, as exhibited in this screenshot that references @troyhunt. #infosec
@troyhunt The Woolworths @mydealaustralia attacker released a 500-line data sample a few minutes ago. #auspol #databreach #Australia #infosec
The Woolworths Group MyDeal data has now been marked as "sold" on the data leak forum. The attacker writes on Telegram that "the MyDeal DB has been sold won't be selling anymore copies." #auspol #infosec
Adding to the thread a link to a story I wrote today that wraps the MyDeal situation into all of the other activity going on in Australia now related data breaches - @vinomofo, @optus and @medibank: bankinfosecurity.com/new-data-leaks…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jeremy Kirk

Jeremy Kirk Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Jeremy_Kirk

Sep 29
Here are some technical observations related to the Optus breach. This gets into the technical weeds, but it’s important for understanding how this breach may have happened. I’ll try to make it as comprehensible as possible. #optushack #auspol #infosec
Some information is based on public data. The analysis comes from information security experts, whom I appreciate reaching out to me. 😉
We know that the breach occurred because the Optus hacker abused an application programming interface (API) which was api[dot]optus.com.au. As we know, that API was left open on the internet.
Read 14 tweets
Sep 26
Bad news. The Optus hacker has released 10,000 customer records and says a 10K batch will be released every day over the next four days if Optus doesn't give into the extortion demand. #OptusDataBreach #optushack #auspol #infosec
Quick observation on this new data. It appears Medicare numbers may be exposed for some people. Redacted screenshot below. #Optus #OptusDataBreach
The word "Medicare" appears 55 times across these records.
Read 12 tweets
Sep 24
UPDATE: I reached the person who claims to have hacked Optus. I've also been contacted by a second, separate source who says the hacker's version of events is approximately correct. Here's what they said. #OptusHack #infosec #auspol
The Optus hacker says they accessed an unauthenticated API endpoint. This means they didn't have to login. The person says: "No authenticate needed. That is bad access control. All open to internet for any one to use." #infosec #auspol Image
The API endpoint was api[dot]optus.com.au. Yes, that looks weird, but the hacker says it worked otherwise a DNS error occurred. That API is now offline, so there is no more risk for Optus. It was used in part to let Optus customers access their own data. Image
Read 7 tweets
Sep 23
Someone is claiming to have the stolen Optus account data for 11.2 million users. They want $1 million in the Monero cryptocurrency from Optus to not sell the data to other people. Otherwise, they say they will sell it in parcels. #optus #auspol #infosec #OptusHack
The person who runs this data market where the Optus data was posted says the data is real (I have not verified the data yet). The person writes that "optusdata" showed the script used to scrape the data and passed along info about the vulnerable endpoint. #infosec #OptusHack
I've run 10 email addresses from the second sample of the Optus data through @haveibeenpwned. Nine have been in multiple data breaches before, but one is unique to this sample. That's a strong sign this leak is the real deal.
Read 12 tweets
Sep 6
I broke this story about Instagram exposing kids' contact details in June 2019 based on the terrific research by @davidjstier (original story in next tweet). Now, Ireland's data protection authority will fine IG a record €405 million over it. #infosec washingtonpost.com/business/2022/…
The situation was essentially an intentional data breach. It boggled the mind. Here's the original story: Instagram Shows Kids' Contact Details in Plain Sight
databreachtoday.com/instagram-show…
The story was crazy. Instagram let minors covert their profiles to business profiles, which then automatically exposed details such as email address, phone numbers. Plus, all photos became automatically public.
Read 4 tweets
Sep 5
Bypassing MFA at a big scale may be possible with "EvilProxy" a cybercriminal service discovered by @RESecurity. It uses a reverse proxy to nab session cookies, a technique that's been used before but now is wrapped in a slick phishing kit. Yikes. #infosec databreachtoday.com/cybercriminal-…
It is already being used against employees at Fortune 500 companies, says Resecurity's Gene Yoo. It targets services including Apple, Microsoft, Dropbox, LinkedIn, Yandex, Facebook, Twitter, Yahoo, Wordpress.
It's also capable of phishing players in the software supply chain, including GitHub, the Python Package Index, RubyGems and NPMJS. Suggests it could be aimed at helping crims tamper or install backdoors in software packages.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(