Wetherspoons Hacker Speaks: 'I Did It Simply Because I Could'

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://motherboard.vice.com/read/wetherspoons-hacker-speaks-i-did-it-simply-because-i-could

Last week, Wetherspoons, a popular UK pub chain, announced that one of its
websites had been breached. The hacker got away with the names, dates of
birth, email addresses, and phone numbers of potentially 656,723 customers,
as well as the partial payment card data of 100 people.

Then late on Monday night, the hacker responsible, who used the handle
'ropertus' contacted this reporter. To verify their identity, ropertus sent
an email signed with the same PGP key listed with the advert for the stolen
Wetherspoons data on a Russian hacking market. (This is the same method
used to verify the communications between this reporter and The Impact
Team, the hackers who breached extra-marital site Ashley Madison earlier
this year).

Ropertus said that breaching the Wetherspoons site “wasn't complicated
whatsoever and would certainly add insult to injury to the company itself.”

The hacker wouldn't specify what vulnerability led to the breach, but did
add “I'm surprised that no one else has done the same up to this point.”

“The vulnerability took no more than 15 minutes to find through manual
searching and analysis,” ropertus said.

In an email sent to the potential hack victims, Wetherspoons was keen to
point out that the attack only affected an old company website. Bearing in
mind the speed at which ropertus allegedly discovered the vulnerability,
the sort of data obtained, and the hacker's comment about being surprised
no one had exploited it before, there's a chance that ropertus used SQL
injection.

SQL injection is an ancient website attack vector, and was first publicly
discussed around 1998. But it still leads to some of the biggest breaches
around, including the theft of personal data from UK ISP TalkTalk earlier
this year.

Ropertus has been advertising the Wetherspoons data on w0rm, a forum and
online marketplace owned by an eponymous Russian hacker, since at least
September 27. Ropertus also has hundreds of thousands of email addresses,
usernames, and hashed and plain text passwords for sale, coming from sites
such as as lorealparis.com.cn, sferos.one.lt, totallywicked-eliquid.com,
gameevil.com, lgbt.lt, and funimation.com, according to product listings on
w0rm.

The hacker has put no fixed price on the stolen Wetherspoons data; instead,
individuals message ropertus and make their own offer.

“I have had quite a few potential buyers interested in the data as of late
due to the attention it's received,” Ropertus said.

But victims, despite likely being worried their personal contact
information is being sold on a criminal marketplace, may be surprised that,
all in all, it's really not that valuable.

“I would price it $750-$1000” for the whole lot, ropertus said. “Not a
premium price due to the mild contents within the database, and lack of
financial information contained in it.”

“That being said, many of the customers who expressed interest in
purchasing it were happy to pay within this price range and I would
comfortably make thousands of dollars as a result.”

Naturally, the more ropertus would sell the data, “the cheaper it would get
as databases are often traded and eventually it would become public.”

But ropertus has apparently decided not to sell the Wetherspoons data at
all. “I've made the decision not to sell it for a number of reasons, one of
which is to further protect my identity.” It's impossible to confirm
whether ropertus hasn't previously sold the data anyway.

Instead, ropertus claims that “I did it simply because I could, and to
serve as knowledge being put into practice.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!