Millions of Passwords Stolen by Cybercriminals Exposed by Israeli Activist Hacker
by Omer Kabir / CTech
CTech – Hacker and activist Noam Rotem has come across quite a few hacked or leaked databases in his life. A security breach that revealed the flight destinations of the prime minister and senior defense officials, a leak that revealed the personal information of passengers on Israel’s Road 6, a serious breach in dozens of financial institutions that was not repaired despite warnings, Rotem has seen it all. Or, at least, this is what he thought until he came across an open database that contained hundreds of millions of login details for various services – email, social networks, banks, internal systems and more – of millions of users from around the world, among them many Israelis, including civil servants and defense industry workers. And here comes the real twist: this database belongs to cybercriminals that have gathered login information that they stole from users all over the world.
Rotem located the malicious database using a scanner that he and his colleague Ran Locar operate regularly to identify databases that are exposed. “I identified a server that collected all the stolen information, and performed information verification processes,” Rotem explained. “The criminals took the passwords they stole and checked if it was possible to connect with them. There was a mark stating if the login details were correct or not.”
The malicious database was revealed on both Calcalist and the “Cybercyber” podcast (Hebrew) hosted by Rotem and Ido Kenan.
When Rotem identified the database at the end of May, he began downloading it to analyze its contents. However, after downloading only about 10 percent, his computer ran out of space. Even so, Rotem managed to download 2.5 million passwords, which provided insights into the identities of the victims. “There are victims from all over the world – Far East, North America, South America, Europe, Africa – there was no geographic targeting against Israel, and whatever the users kept as passwords, was available to me: banking, medical services, security services, porn websites, email services, and organizations’ inner systems. You can see the user and what accounts he or she has in different places. Every online service you can think of was there, even crypto exchange passwords which can help you steal cryptocurrency easily.”
Among other things, the database contained login details for 137,000 Gmail accounts, 134,000 Facebook accounts, 109,000 Microsoft accounts, 68,000 government websites in various countries, 25,000 Amazon accounts, 23,000 Twitter accounts and 20,000 Netflix accounts.
According to Rotem, the criminals also identified their victims by country of origin, based on their IP addresses. The largest rate of victims, 11.35 percent, came from the US, followed by Brazil (10.9 percent), India (9.4 percent), Germany (6.64 percent) and the UK (4.89 percent).
Regarding Israel, Rotem identified thousands of local victims, many of which had information and passwords for governmental and defense industry networks (“it was easy to identify them because their email was with the gov.il extension or included their company name”). Rotem also identified Pentagon staff and government employees from around the world in the database.
One of Rotem’s most disturbing discoveries in this database was a password for the “safe” of a well-known company in the defense industry. “This is a system in which very sensitive files are stored, and with the stolen login information it was possible, allegedly, to access them,” Rotem explained. “The employee at the company kept the password on a computer to which he apparently downloaded the malware.”
The database disappeared from the net in early June, not long after Rotem found it. “It is difficult to say whether it was dropped from the network or access to it was blocked,” he said. “Now there is nothing on the IP address where it was available, so they may have replaced a server or blocked it well. But as far as we know, the hackers still have access to the information and we do not know who they are.”
Rotem notified Israeli authorities of the database in June. “They took care of it and took it seriously. They contacted the people, tried to check if the information was used and reset passwords. We also contacted the credit companies, banks, health providers and everyone handled it and reset the stolen passwords.”
Working with Israel’s National Cyber Directorate and Facebook
Israel’s National Cyber Directorate confirmed the details stating: “The issue has been reported and addressed with the institutions that were identified by their usernames and guidelines were provided.” The directorate’s response also stated that “From our examination, the information was collected in 2019 from private sites visited by private users. We recommend that browser-users be careful and download extensions only from official sources.”
Tom Alexandrovich of the Israel National Cyber Directorate added that “we have recently set up a new team whose goal is to be one step ahead of attackers – to identify vulnerabilities before malicious agents reach them. As part of this plan, we created a reporting mechanism from various sources to treat them as efficiently and quickly as possible. We apply, at the state level, early detection methods and technologies that will help deal with leaked password databases and may be used for attacks.”
Rotem also worked with Facebook’s global security team to assist with the stolen information. “They took the list, checked that it had real users, and verified their identity with the users’ cooperation, and asked them to change their password,” he said. “One person whose information was leaked is a Facebook employee, and as soon as they received that information they reached out to him, took his computer, and dismantled it in an attempt to understand where he got the malware, and whether it was maliciously used. They did not share everything with me but did say they think they found the malware and they took care of it.”