GhostShell hacker leaks 39 million accounts in security "protest"

The databases contains critically-personal information, including names, email addresses, dates of birth, genders, and even social information.
Written by Zack Whittaker, Contributor

(Image: file photo, via GhostShell/Twitter)

A hacker has stolen an estimated 39 million account details -- simply by walking right in and taking them.

The renowned hacker, who goes by the moniker GhostShell, was able to download a vast but unknown number of databases from 110 different web-connected servers that didn't require credentials.

The hacker was able to use port-scanning tools -- including Shodan.io, a search engine for internet-connected devices -- to locate the databases, stored on public-facing servers running widely-used database software MongoDB.

GhostShell uploaded the cache for public consumption -- about 6 gigabytes of uncompressed files -- in protest at "poorly configured" state of the systems.

He said in a note on Pastebin, where hackers often post breached data, that his goal was "to raise awareness about what happens when you decide not to even add a username and password as root or check for open ports."

The hacker added that many system administrators "don't bother checking for open ports on their newly configured servers," which means anyone can access data without needing a username and password.

"This can basically lead to anyone infiltrating the network and managing their internal data without any interference. You don't even have to elevate your privileges, you just connect and have total access. You can create new databases, delete existing ones, alter data, and so much more," the hacker said.

It's not immediately clear what all the databases are for, or who they are operated by.

Many are hosted by well-known providers, such as Amazon Web Services and Rackspace.

Though every database is different, we were able to find full names, usernames, dates of birth, email addresses, phone numbers, genders, payment gateway information (such as if a credit card was declined), job titles and descriptions and even wedding days. We also found social-related content, such as Facebook profile IDs and Twitter IDs, profile pictures, and tokens used to authenticate a user with a service.

In some instances, we found full email content -- some of it marked confidential.

We also found a ton of metadata, such as connecting IP addresses, device information, geo-location data, browser types, User Agents (which can be used to determine and track a unique device), and when user accounts were created and when they last logged in -- just to name a few.

Many of the passwords were hashed and salted, but we were able to unscramble many (though not all) passwords using readily-available online tools.

But in many cases, there are combinations of usernames or email addresses and plain-text passwords, which may allow a hacker to conduct further intrusions.

Lee Johnstone, a security researcher based and founder of Cyber Wars News, who helped comb through some of the data, said he saw "more hashed then unhashed" passwords.

He was also able to offer an at-a-glance view of whose data was caught up in the databases.

After a deep search of the files, Johnstone found 626,000 unique email addresses in the cache -- including dozens of .mil addresses, over 1,300 separate .gov addresses -- including from the Dept. of Homeland Security, the FBI, FAA, IRS, and the US Navy.

He also found more than 7,000 .edu addresses from colleges and universities -- most of which appear to be staff members.

One of the databases contained about 140,000 unique email addresses. When asked, GhostShell told me that this database contained details on "the top IT of the most wealthy corporations from the US" -- or in other words, senior IT staff at high-profile organizations, such as Apple, IBM, Microsoft, and even federal agencies like FBI.

That unsecured database is hosted by Webair, a Long Island, NY-based cloud hosting company. A spokesperson explained the unsecured server in a statement:

"The database file in question is hosted on a self-managed server, meaning that the customer is responsible for managing their entire infrastructure stack, including security, database and operating system. If the customer uploads unprotected data onto a public website, it is the customers' responsibility -- Webair maintains no control over their decision to do so," said the spokesperson.

"I'm not that keen on embarrassing them," GhostShell told me, referring to Webair. "But when you're a company so old, and with a capital so huge... with high stakes customers, you would think they would at least try to protect them," he said.

The size of the downloadable cache alone puts it at one of the largest breaches this year -- but it could have been far larger, given time and resources.

"The worst part is that this is barely a fraction of what I could get my hands on," the hacker said.

Editorial standards