30 million Americans affected by the Astoria Company data breach

Researchers discovered the availability in the DarK Web of 30M of records of Americans affected by the Astoria Company data breach

Astoria Company LLC is a lead generation company that leverages on a network of websites to collect information on a person that may be looking for discounted car loans, different medical insurance, or even payday loans.

Collected data si shared with a number of partner sites (such as insurance or loan agencies), that pay per lead referral.

DATABASE SALE ON DARKWEB MARKETS

On January 26, 2021, threat intelligence team at Nightlion Security became aware of several new breached databases being sold on the Dark0de market by the popular hacking group Shiny Hunters.

The data listed for sale included 400 million Facebook users, a database allegedly containing Instagram users, and a dump allegedly containing 300 million user database from Astoria Company. The details of the Astoria Company data sale included, most notably, 40 million U.S. social security numbers (these numbers were later proven to be inflated).

Exposed records include the following fields:

• Name
• Email address
• Date of Birth
• Mobile Phone
• Physical Address
• IP Address

while other lead types exposed in the leak included additional information such as social security numbers, full bank account information, and even medical history. The leaked Astoria data also contained email transaction logs showing sensitive user information being transferred, unencrypted, via email.

Night Lion analysis of the data revealed the presence of:

• 10 million people with social security numbers, bank accounts, and drivers license numbers
• 10 million+ people with other exposed fields, such as credit history, medical data, home, and vehicle information.

A week later, these databases were published for sale on the Dark0de forum by user ShinyHunters.

Astoria’s data were later offered for sale on other darkweb forums by a seller that goes online with the name “Seller13.”

Nightlion researchers reported a recent blog post that claims Seller13 is a member of ShinyHunters. The experts believe that Seller 13 is “Yousef” the original broker of nearly 400 million stolen Facebook accounts.

“At this time it is unclear whether Seller13 is using the ShinyHunters name as a type of misdirection, or if the two actors are actually working together. Our conversations with Seller13 seem to indicate that he and ShinyHunters are working together.” reported Night Lion.

Investigating the alleged breach experts found a list of more than 400 domains registered to Astoria Company, LLC.

The researchers spotted several web shells and malicious scripts on Astoria’s MortgageLeads.loans domain, including Corex.php and Adminer.php.

Attackers deployed the Corex web shell URL and used a number of other exploit tools that were left on the system, including the adminer.php script. Adminer is a full-featured database management tool written in PHP. that easily allows managing any online database type, including MySQL, SQLite, MS SQL, and PostgreSQL.

“Given ShinyHunters’ tendency to hack sites using leaked credentials, our next step was to use the HiddenWWW search engine to look for publicly accessible code with potentially leaked credentials or AWS keys. The HiddenWWW search engine returned a list of potentially vulnerable URLs across a number of different Astoria domains. We then leveraged an OSINT telegram bot to ping each of the URLs and return a list of any that were valid.” continues the experts.

Night Lion’s counterintelligence team contacted Seller13, who explained to them how they were able to access Astoria’s database.

“Visiting the http://mortgageleads.loans/adminer.php URL, we noticed immediately that the admin credentials for user “adminastoria” were pre-saved, allowing anyone complete access to the database from a public URL — no authentication needed.” continues the experts.

Night Lion Security’s CEO, Vinny Troia, reported to Astoria Company the flaw in their database on January 29, 2021 and the availability of their data on Dark Web.

The company investigated the issue and discovered that a “former developer from India” was most likely responsible for intentionally, saving the credentials to the site.

The Astoria Company identified and confirmed the presence of the malicious scripts on its website and took them offline.

Experts found a total of 19 Astoria-owned domains using the same Adminer script that were taken offline after the Night Lion report to Astoria.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Astoria Company)

[adrotate banner=”5″]

[adrotate banner=”13″]