Data, data everywhere! Where it comes from, nobody really knows?

[Jake <jake () riskbasedsecurity com>]

http://www.datalossdb.org/incident_highlights/60-data-data-everywhere-where-it-comes-from-nobody-really-knows

2013-12-16 by lee_j

While there are still a few weeks left in 2013, it has already been
the most severe in terms of data breaches in the last 10 years with
over 705 million records lost. In addition, 4 of the top 10 data
breaches of all time happened in 2013, with the top spot now belonging
to Adobe (at least for the moment).

The Adobe breach was discovered and brought to light by Brian Krebs
and information security researcher Alex Holden back in October (Brian
Krebs is an Advisor to Alex Holden’s company). When the leak was first
announced it was said to be about 2.9 million records but soon after
the figure changed to what isnow confirmed to be approximately 152
million records. Adobe has commented on the amount of data and users
impacted a few times, and is expected to provide an update when their
investigations are completed. The data has been stated to have a lot
of duplicates as well as false data including usernames (email
addresses) and encrypted passwords. This data was allegedly obtained
directly from Adobe’s servers by unknown hackers who are also said to
have obtained data from several other well known sites as well.

Early investigations by Krebs appear to have uncovered major breaches
after they obtained the complete database of SSNDOB, an underground
carding and personal information website. The SSNDOB investigation
uncovered a lot of high profile names like LexisNexis Inc., Dun &
Bradstreet, and Kroll Background America, Inc. all of which were
hacked and used as a massive database for the SSNDOB website. In
addition, another was the Cupid Media breach which exposed 42 million
accounts and according to Brian Krebs was found on the same server as
the Adobe data as well as NW3CM and PR News Wire.

One item which does not seem to be fully addressed is how Brian Krebs
and Alex Holden were able to obtain this data. In one of the posts,
there was a mention that they“discovered a massive 40 GB source code
trove stashed on a server” but still their methods were not abundantly
clear. There are several deep web monitoring services available and we
have confirmed that at some point the Adobe data was available for
purchase for a whopping $6 dollars. However, speculation in some
circles have been that this data was originally acquired from a
private server and therefore to obtain the data they would have had to
have illicit access to the server themselves.

Regardless of the method used to obtain the data, at this point what
they have done is help to raise the awareness of several massive
breaches that have impacted millions of people around the world. As we
move forward, was this type of discovery a one off or will we see more
data breach disclosure in this fashion?
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.