interview with security blog Krebs
Argentinian researcher Ch
Russo revealed that he and two of his associates discovered
injection vulnerabilities on the world's
most popular torrent site, The
They successfully exploited these vulnerabilities to gain 4 million
users user names, e-mail, and internet addresses.While the
vulnerability exploited is quite different, the leak is very
reminiscent of the recent snatch
of iPad buyers' email addresses by Goatse Security.
Unlike that incident, though, the purloined information has the
potential to put a number of people in sticky legal water if it falls
into certain hands (i.e. the Recording Industry Association of
America (RIAA) and the Motion Picture Association of America
(MPAA)).Russo said he briefly considered how much the RIAA
and MPAA would give him for the info, but decided against selling
it. He states, "Probably these groups would be very
interested in this information, but we are not [trying] to sell it.
Instead we wanted to tell people that their information may not be so
well protected."Brian Krebs -- apparently a TPB user
himself -- verified that Russo had this info by sending him his
username, in exchange for the gathered email and password hash.
Krebs verified these items were indeed correct, validating Russo's
claims.Russo says he made no alterations or deletions to the
records in the system.He did, however, gain some even more
valuable information than the massive record of average Joe and Jane
users. He also looted a list of the user names and MD5
hashed passwords of the top administrators and moderators
for the site. That list would be particularly of interest to
the RIAA and its international sister organization, IFPI, which have
over attempts to try to shut the site down.Russo
contacted The Pirate Bay about his findings, but has received no
response. The site did remove the insecure component, though,
safeguarding itself from future attacks of this nature. Russo,
who is only 23, is leveraging the incident as a bit of a publicity
stunt of sorts in order to promote his security exploit software
Framework. He hopes to sell that to business as a tool to
perform simulated attacks on their networks and verify security,
similar to what the popular Eleonore exploit
Pirate Bay has
released no official response to the news of the breach. The
latest development is that the homepage appears
to be down and displays this message:
some stuff, database is in use for backups, soon back again.. Btw,
it's nice weather outside I think.
they took the leak pretty seriously.
quote: We may also disclose your personal information and other information you provide to another third party as part of a reorganization or a sale of the assets of LinkedIn Corporation, a subsidiary or division. Any third party to which LinkedIn transfers or sells LinkedIn’s assets will have the right to continue to use the personal and other information that you provide to us.
quote: How can someone's information be considered "goods".