Carder forum claims 150 million logins for sale from CloudBleed case

Pierluigi Paganini February 25, 2017

The carder forum CVV2Finder claims to have more than 150 million logins from several popular services, including Netflix and Uber.

The carder forum CVV2Finder claims to have more than 150 million logins, from several popular services, including Netflix and Uber. The operators in the forum are offering the precious commodity to the VIP members.

According to the experts, the data were obtained by exploiting the recently discovered Cloudbleed, a flaw that was causing the leak of a wide range of sensitive information in the CloudFlare infrastructure, including authentication cookies and login credentials of numerous organizations using the popular service.

The Cloudbleed security issue with Cloudflare servers has a significant impact on numerous major organizations, including Uber, Fitbit, 1Password, and OKCupid. Cloudbleed also affects mobile apps, because, they are developed using the same backends as browsers for content delivery and HTTPS (SSL/TLS) termination.

The flaw was discovered by the popular researcher Tavis Ormandy from Google Project Zero Team.

The Canadian researcher Phineas (@itsphin) published on GitHub a list of more than 4 million domains possibly affected by Cloudflare’s Cloudbleed HTTPS Traffic Leak.

The list includes popular services such as 23andme, Coinbase, Patreon, Yelp, Fiverr, and

“This list contains all domains that use Cloudflare DNS, not just the Cloudflare proxy (the affected service that leaked data). It’s a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised, and sites may be compromised that do not appear on this list.” explained Phineas.

“Cloudflare has not provided an official list of affected domains, and likely will not due to privacy concerns. I’m compiling an unofficial list here so you know what passwords to change.”

Experts at Salted Hash received via email the following screenshot the CVV2Finder carder forum.


A messaged appeared on the CVV2Finder forum clearly refers the Cloudbleed case as the source of millions of fresh credentials for popular services.

“Dear DeepWeb Users of cvv2finder, After the success of the latest attack (cloudbleed) to cloudflare servers, More than 150 Million Fresh Logins Avaliable for Uber , Netflix … and many more. After hours these data will be avaliable into a database and would sell it for 250k$. This offer only for VIP users.”

This means that the impact of CloudBleed was much larger than first thought with a serious impact for CloudFlare customers.

Experts noticed that Netflix isn’t a CloudFlare customer, so the presence of the file in the list of accounts offered for sale is suspect.

“CVV2Finder lists Netflix, Dominos, several “People Meet” dating websites, Tidal, CBS, Bitdefender, Origin, Dell, UPS, HBO Now, Spotify, and DirecTV accounts in their database as available to purchase.” reported Salted HAsh. “However, there are only 2,300 accounts, a far cry from the 150 million they are promising.”

Stay Tuned …

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Cloudbleed , hacking)

you might also like

leave a comment