Key InfoSec Events of February 2019

Terabytes of Leaked Data: Collection #1 and Beyond

In January, renowned cybersecurity expert and creator of the Have I Been Pwned (HIBP) leak aggregator, Troy Hunt, drew the community’s attention to a strange dump called “Collection #1,” published on the Mega file-sharing service. This collection contained a total of 2,692,818,238 records of email addresses and passwords. According to Hunt, it included 772,904,991 unique email addresses and 21,222,975 unique passwords.

While major media outlets rushed to call this dump “the mother of all breaches” (Gizmodo) and “the largest collection of breaches ever” (Mashable), the reality was less dramatic. Most of “Collection #1” was a compilation of old data breaches, with little new information. Hunt noted that only 141 million (about 18%) of the email addresses were new to HIBP and not part of previously known breaches. Half of the 21 million unique passwords had also already been leaked before.

In February 2019, experts from Recorded Future reported that they had likely identified the person who compiled and sold this collection: a hacker known as C0rpz. It took him about three years to assemble this massive dump, which included numerous leaks from various companies. “Collection #1” was just one part of C0rpz’s archive, which also included at least five numbered parts and two add-ons titled ANTIPUBLIC and AP MYR & ZABUGOR.

• ANTIPUBLIC #1 (102.04 GB)
• AP MYR & ZABUGOR #2 (19.49 GB)
• Collection #1 (87.18 GB)
• Collection #2 (528.50 GB)
• Collection #3 (37.18 GB)
• Collection #4 (178.58 GB)
• Collection #5 (40.56 GB)

In total, the archive contains about 3.5 billion records—combinations of email addresses and passwords, usernames and passwords, phone numbers and passwords, and so on. C0rpz sold this collection to several clients, some of whom are now distributing it for free via file-sharing services and torrents. Journalist Brian Krebs identified at least two buyers: hackers Sanix and Clorox. In early January 2019, Clorox posted part of the collection on Raid Forums, drawing media and expert attention to “Collection #1.”

Experts emphasize that most of the data in these collections were already known and previously sold or distributed separately. Users are urged not to panic and to practice basic digital hygiene: use strong, unique passwords for each site and service, enable two-factor authentication, and avoid sharing personal data with suspicious companies.

Gnosticplayers: Massive New Data Dumps for Sale

In early February, a hacker or group known as Gnosticplayers put several large user data dumps up for sale on the Dream Market marketplace. The first batch included data from 620 million users across 16 major sites, including MyHeritage, 500px, and Dubsmash, with a total asking price of about $20,000 in Bitcoin.

After the dump was publicized, many companies had to admit they were breached and began notifying users or forcing password resets. Companies like Dubsmash, 500px, EyeEm, Coffee Meets Bagel, and DataCamp launched investigations.

A second dump appeared soon after, containing 127 million records from eight more compromised companies, including file-sharing service Ge.tt and crypto exchange Coinmama, priced at $14,500 in cryptocurrency. A week later, a third dump was posted, with data on 92.76 million users, including 8 million from GIF-hosting site GfyCat, 11 million from recruiting portal Jobandtalent, and 61 million from online photo editor Pizap. None of the companies listed by the hacker had previously reported any security incidents.

Gnosticplayers told journalists he has about 20 different databases, some of which he plans to sell and others to keep for personal use, totaling about a billion accounts, with the oldest leaks dating back to 2012. He claims to have directly hacked the listed companies, not just acted as a reseller. When asked about his motives, he said he was interested in “money and ruining American pigs.” Each dump included a message criticizing US and UK authorities for the arrest of another hacker, George Duke-Cohan, a member of Apophis Squad, who was sentenced to three years in the UK and faces up to 65 years in the US.

Porn Accounts Targeted Twice as Often

Kaspersky Lab experts found that criminals are increasingly targeting users of adult sites, especially those with premium accounts. Malware is mainly interested in credentials for sites like Brazzers, Chaturbate, Pornhub, Myfreecams, Youporn, Wilshing, Motherless, XNXX, and X-videos.

The number of people facing attempts to steal their logins and passwords for paid adult content doubled from 50,000 in 2017 to 110,000 in 2018. Offers to sell stolen credentials in the dark web also doubled, from 5,000 in 2017 to 10,000 in 2018. The average price for one account on the black market is $5–10. The number of Trojan families targeting such data increased from 3 in 2017 to 5 in 2018. There are 642 families and 57 types of “pornographic” malware for PCs. The number of phishing pages imitating major free porn sites increased more than tenfold in Q4 2018.

Cryptocurrency News

QuadrigaCX Bankruptcy

Canadian crypto exchange QuadrigaCX faced a bizarre situation: over 100,000 users lost access to their funds after founder Gerald Cotten died in India in December 2018. Cotten was the only person with access to the exchange’s cold wallet. The exchange continued operating for almost a month after his death, using hot wallets and fiat accounts. Only in January did Cotten’s widow, Jennifer Robertson, announce his death on Reddit, prompting users to withdraw funds and destabilize the exchange.

Attempts to access the cold wallet, including hiring specialists to hack Cotten’s laptop, failed. Court documents revealed that the inaccessible wallet held about 0.5% of all Ethereum tokens and large amounts of other cryptocurrencies: 26,500 Bitcoin, 11,000 Bitcoin Cash, 11,000 Bitcoin Cash SV, 35,000 Bitcoin Gold, about 200,000 Litecoin, and 430,000 Ethereum. QuadrigaCX cannot access about $190 million, with $53 million frozen due to disputes with third parties. Media investigations raised questions about the timing of withdrawals and the exchange’s financial health, with some suggesting problems began as early as 2017.

Coinhive Shuts Down

Coinhive, a service designed as a legal alternative to banner ads but widely abused by criminals, announced its closure. After Monero’s latest hard fork, Coinhive’s hash rate dropped by over 50%, and the overall crypto market crash made the service unprofitable. Coinhive will officially shut down on March 8, 2019, with users able to withdraw funds until April 30.

Coinhive, launched in late 2017, became synonymous with cryptojacking—browser-based mining using visitors’ computers without their knowledge. The service was quickly adopted by cybercriminals, and many site owners were unaware mining scripts had been injected into their sites. By 2018, Coinhive was blacklisted by antivirus and content blockers and considered malware. Security expert Jérôme Segura of Malwarebytes noted that cryptojacking peaked in late 2017–early 2018 and has since declined with falling crypto prices and interest.

EOS Blacklists Fail

On February 22, 2019, an EOS cryptocurrency holder discovered his account had been compromised and followed the standard procedure to notify the 21 block producers (the top EOS miners). These producers are supposed to update blacklists to prevent hackers from cashing out stolen funds. However, the process failed when one producer, games.eos, did not update their blacklist in time, allowing hackers to steal 2.06 million EOS (about $7.7 million at the time). EOS42, a block producer, has proposed revising the blacklist system to make it more democratic and secure.

Password Security: Who Does It Best?

Digital Security tested password policies of 157 web services, including social networks, email clients, cloud storage, and online banking. Gaming services have improved their password policies since 2015, while payment systems have lagged. WebMoney, the previous leader among payment services, dropped to last place, while Skrill took first. Social networks generally do not enforce strong password creation, increasing the risk of breaches. Facebook scored 8 out of 11.5 points, leading among social networks, followed by StackExchange and Odnoklassniki. Email services led in password security: Outlook (10 points), Gmail (9), Mail and Yahoo (7.5), Yandex (6), and Rambler (1.5).

WinRAR Vulnerability: 19 Years Undetected

Check Point researchers discovered a serious vulnerability in WinRAR, affecting all 500 million users. The bug, present for about 19 years, was linked to the third-party UNACEV2.DLL library, used for unpacking ACE archives. Attackers could create a special ACE archive that, when unpacked, would place malware anywhere on the system, such as the Startup folder, to run on every boot.

The issues (CVE-2018-20250 to CVE-2018-20253) were fixed in WinRAR 5.70 Beta 1 in January 2019. Since the source code for UNACEV2.DLL was lost, support for ACE archives was dropped. Users are strongly advised to update WinRAR and avoid opening ACE archives from unknown sources. Within a week of disclosure, 360 Threat Intelligence Center reported that the vulnerability was already being exploited in spam campaigns.

VFEmail Destroyed by Attackers

On February 11, 2019, unknown attackers broke into the US servers of secure email service VFEmail and wiped all data, including virtual machines, backups, and the file server. Founder Rick Romero wrote on Twitter: “Yes, VFEmail is essentially destroyed. It’s unlikely to return. I never thought anyone would care enough about my free work to want to completely destroy it.”

“Sovereign Runet” Law

In December 2018, Russian lawmakers introduced bill No. 608767-7 to protect the stability of the Russian internet (Runet). The bill, quickly dubbed the “sovereign internet” or “Runet isolation” law, aims to allow Russian authorities to control the country’s internet connections with the outside world and ensure Runet can operate independently if needed. The bill passed its first reading on February 12, 2019, but funding and implementation details remain unclear. Experts and industry representatives have criticized the bill for its vague goals, duplication of authority, and likely high costs.

60% of Exchange Hacks Attributed to Two Groups

According to Chainalysis, just two hacker groups—dubbed Alpha and Beta—are responsible for 60% of publicly known crypto exchange hacks, stealing about $1 billion. Alpha is a large, well-organized group not always motivated by money, while Beta is smaller and focused solely on profit. A typical hack nets about $90 million. Stolen funds are moved around 5,000 times on average, with 50% cashed out within 112 days and 75% within 168 days. Alpha is more efficient at laundering and cashes out 75% of funds within 30 days, while Beta waits 6–18 months.

Encryption and FIDO2 for All

Google announced two major updates for mobile users in February. First, the new Adiantum encryption method was introduced for budget devices that can’t use AES due to lack of hardware support. Adiantum is about five times faster than AES-256-XTS on low-end processors like the ARM Cortex-A7, making encryption feasible for affordable smartphones, smartwatches, and TVs.

Second, all devices running Android 7.0 (Nougat) and above are now certified for FIDO2, with an update released for Google Play Services. This means users can now use alternative authentication methods—biometrics (face, fingerprint, iris), PINs, and patterns—instead of passwords. FIDO2 authentication is local, so private data isn’t sent to apps or services. Google’s Christiaan Brand explains that this shift away from shared secrets (passwords) to asymmetric authentication greatly improves security, as server-side breaches can’t compromise users’ private keys.

Banks Still Unprepared for Cyberattacks

Group-IB analyzed high-tech crimes in 2018 and found that most hacker attacks still targeted the financial sector, with 74% of banks unprepared. The number of incident responses by Group-IB’s Computer Forensics Lab more than doubled compared to 2017. Active malware was found in 29% of banks, and traces of past attacks in 52%.

• Major threats included targeted attacks, corporate espionage, ransomware, and crypto mining.
• 74% of attacked banks were unprepared: over 60% couldn’t centrally manage their networks, especially in distributed infrastructures; about 80% lacked sufficient event logging for more than a month.
• Over 65% of banks took more than 4 hours to coordinate between departments, with an average of 12 hours spent per incident on meetings and access approvals.
• More than 60% couldn’t quickly change all passwords at once, allowing attackers to move laterally within compromised infrastructures.
• 70% of organizations’ staff were unable or insufficiently able to detect signs of infection or unauthorized activity.