Nulled.io is a popular crime forum with roughly 500,000 users that but and sell any kind of product and services and share information regarding illegal practices.
According to the Risk Based Security, last week the Nulled.io forum has suffered a security breached that exposed details of its members and more than 800,000 personal messages exchanged by the users of the hacker forum.
“Last week a well known “hacker” forum became victim to the fast growing list of over 1,076 data breaches that have occurred so far in 2016. The Nulled.IO forum was compromised and data was leaked on May 6th consisting of a 1.3GB tar.gz compressed archive which when expanded is a 9.45GB SQL file named db.sql.” reported Risk Based Security.
On May 6, the attackers leaked a 1.3Gb compressed archive containing a 9.45Gb database that included the details of more than 536,000 user accounts (usernames, hashed passwords, registration dates, email addresses, and IP addresses).
The popular cyber security expert Troy Hunt has already added the stolen account credentials to the Have I Been Pwned service.
New breach: Nulled cracking forum had 599k email addresses exposed last week. 25% were already in @haveibeenpwned https://t.co/LGaAnj1hUA
— Have I been pwned? (@haveibeenpwned) 9 maggio 2016
The hackers also leaked thousands of purchase records and invoices.
“If law enforcement obtains this information, (which no doubt they already have) it can be used to filter out any “suspects” under investigation for possibly conducting illegal activities via the forums. With this being such a comprehensive dump of data it offers up a very good set of information for matching a member ID to the attached invoices, transactions and other content such as member messages and posts.” continues the post.
The experts that analyzed the archive noticed the presence of a table containing personal details of VIP users.
The archive includes detailed information about transactions completed by VIP users, including their PayPal email addresses.
“Further we find API credentials for 3 payment gateways (Paypal, Bitcoin, Paymentwall) as well as 907,162 authentication logs with geolocation data, member id and ip addresses, and 256 user donation records that are able to be matched to the user with member id.” continues the post.
The experts from Risk Based Security several email addresses belonging to government across the world, including United States, Jordan, and Brazil.
At the time I was writing it is still unknown who is behind the attack neither how the hackers breached the Nulled.io crime forum that is powered by the IP.Board forum framework. Experts speculate that the attackers might have exploited a flaw in the IP.Board forum software.
Experts at Sucuri reported multiple attacks against IP.Board forums leveraging on the ImageMagick flaw.
In addtiion to vBulletin, seeing a few #ImageTragick attempts against “app=members&module=profile§ion=photo&do=save” on IP.Board
— Daniel Cid (@danielcid) 9 maggio 2016
Daniel Cid, founder and CTO of Web security firm Sucuri, noted last week that IP.Board forums had been targeted in attacks exploiting a recently disclosed ImageMagick flaw.
Currently the Nulled.io crime forum is down.
[adrotate banner=”9″]
(Security Affairs – Adobe, CVE-2016-4117 zero-day)