Hacker breaches security firm in act of revenge

Hacker claims to have stolen more than 8,200 databases from a security firm's data leak monitoring service.
Written by Catalin Cimpanu, Contributor
Hacker activity banner. Programmer writes viruses and hacks. Dos attack.
Getty Images/iStockphoto

A hacker claims to have breached the backend servers belonging to a US cyber-security firm and stolen information from the company's "data leak detection" service.

The hacker says the stolen data includes more than 8,200 databases containing the information of billions of users that leaked from other companies during past security breaches.

The databases have been collected inside DataViper, a data leak monitoring service managed by Vinny Troia, the security researcher behind Night Lion Security, a US-based cyber-security firm.

A data leak monitoring service is a common type of service offered by cyber-security firms. Security companies scan the dark web, hacking forums, paste sites, and other locations to collect information about companies that had their data leaked online.

They compile "hacked databases" inside private backends to allow customers to search the data and monitor when employee credentials leak online, when the companies, themselves, suffer a security breach.

The DataViper hack

Earlier today, a hacker going by the name of NightLion (the name of Troia's company), emailed tens of cyber-security reporters a link to a dark web portal where they published information about the hack.

Image: ZDNet

The site contains an e-zine (electronic magazine) detailing the intrusion into DataViper's backend servers. The hacker claims to have spent three months inside DataViper servers while exfiltrating databases that Troia had indexed for the DataViper data leak monitoring service.

The hacker also posted the full list of 8,225 databases that Troia managed to index inside the DataViper service, a list of 482 downloadable JSON files containing samples from the data they claim to have stolen from the DataViper servers, and proof that they had access to DataViper's backend.

Furthermore, the hacker also posted ads on the Empire dark web marketplace where they put up for sale 50 of the biggest databases that they found inside DataViper's backend.

Image: ZDNet

Most of the 8,200+ databases listed by the hacker were for "old breaches" that originated from intrusions that took place years before, and which had been known and leaked online already, in several locations.

However, there were also some new databases that ZDNet was not able to link to publicly disclosed security breaches. ZDNet will not be detailing these companies and their breaches, as we have requested additional details from the hacker, and are still in the process of verifying their claims.

Troia: Hacker breached a test server

In a phone call today with ZDNet, Troia admitted that the hacker gained access to one of the DataViper servers; however, the Night Lion Security founder said the server was merely a test instance.

Troia told ZDNet that he believes the hacker is actually selling their own databases, rather than any information they stole from his server.

The security researcher said this data had been public for many years, or, in some cases, Troia obtained it from the same communities of hackers in which the leaker is also part of.

Troia told ZDNet that he believes the leaker is associated with several hacking groups such as TheDarkOverlord, ShinyHunters, and GnosticPlayers.

All the groups have a prolific hacking history, are responsible for hundreds of breaches, some of which Troia indexed in his DataViper database.

Furthermore, Troia also documented the activities of some of these groups in a book he published this spring. The DataViper founder says today's leak was timed to damage his reputation before a talk he's scheduled to give on Wednesday at the SecureWorld security conference about some of the very same hackers, and their supposed real-world identities.

Troia's full statement is below:

"When people think they are above the law, they get sloppy. So much so they forget to look at their own historical mistakes. I literally detailed an entire scenario in my book where I allowed them to gain access to my web server in order to get their IPs. They haven't learned. All they had access to was a dev environment. Much like the grey Microsoft hack which they recently took credit for, all they had was some source code that turned out to be nothing special, but they hyped it anyway hoping to get people's attention. These are the actions of scared little boys pushed up against a wall facing the loss of their freedom."

Additional reporting will follow throughout the week as ZDNet goes through the leaked data.

Editorial standards