After a person claiming to be a security researcher “declared war on the Baton Rouge police” and redbourn credit for the data breach after the shooting death of Alton Sterling, he redbourn aim at Amazon.
0x2Taylor in a Twitter direct message, hacker @ 0x2Taylor Told Mic the he and a buddy ” ‘breached the server’ owned by Amazon que contained database files with more than 80,000 Kindle users’ information.”
the data included names , addresses, passwords, user agents, IP addresses and more. He Claimed, “When They first got Kindles And Set Them up all Their stuff was being logged and put into the database.” 0x2Taylor sent Mic emails and passwords to try to “legitimize the breach.”
0x2Taylor claims to have informed Amazon; he posted a screenshot to prove he had the time and attempted to extort $ 700 from Amazon in exchange for not disclosing the breach “because the attack was easy.” He Allegedly hoped this would push Amazon into Implementing better secure measures.
Although he “personally” did not want to leak the date, he said, “If I do not receive the payment from Them the date will be posted online along with an older dump.”
0x2Taylor Amazon reportedly ignored his warning, so he uploaded the data to Mega cloud storage and tweeted a link to the leak.
He called Amazon “a big company and They shouldnt have enough money to have the proper security defenses.” He added, “I was trying to prove [to] Them privately but They Were ignoring my warnings.”
Tony Gambacorta, VP of operations at cybersecurity firm SynAck, Told Mic que the date seems to be legit.
Looking through the leaked information, Gambacorta said he was “definitely” able to see phone numbers, street addresses, addresses email, the last time the user logged in (7: 33 pm on June 5th of this year, meaning this is not old date), how many times que user tried to log in, how many times he successfully logged in and his login source IP address.
Yet Gambacorta called it more of a privacy issue than the security issue since it seems Likely the passwords Were “self-assigned by the system.” He added, “I would not want to find my name on this list.”
Dumped date for current Kindle users or not?
I checked out the date, too, choosing five names at random. Google Maps Placed three of the addresses in locations without houses, such as in the middle of the woods, or half way between two houses down the country road.
Google Maps for phone numbers for Those five people, none of the calls connected; three casette an error message about the “number or code you dialed is incorrect,” one had a weird fast busy signal, and the fifth resulted in “the person you called is unavailable right now.”
All of the email addresses seem to be in a weird format, such as johndoe6lak5m5@hotmail.com, johndoevmv69ok@gmail.com, johndoe21m5rac@yahoo.com. For each of the five names, the passwords Corresponding Were way too random, too secure , ranging from 8 to 11 capital letters mixed with numbers. Of course, que was testing only five of the reportedly 83.899 Individuals included in the data dump.
Brian Wallace, aka @botnet_hunter, is a security researcher and member of the Cylance SPEAR team. He examined the Amazon date and found quite a few problems. He Believes “the data does not belong to legitimate users and there is the need for concern to Amazon users.” The date Has Been generated, Wallace said, but he is not sure if it is “fake date or bot accounts.”
Wallace Told Security Affairs que the 83.899 addresses email “only resided on Gmail, Yahoo or Hotmail” and the passwords Were “random upper case letters and numbers, with no words and no occurrences of popular passwords.”
He added que the user agents also “did not represent legitimate user behavior” and Appear to have been “picked from the list at random short.” a large amount of the “last IP” belong addresses to ColoCrossing and at least some of the users would not have connected from the data center.
in other words, do not sweat it. Wallace Concluded:
Based on this evidence, I believe the data released is not representative of current Amazon users, but instead this information was generated. It is not clear Whether this information was generated by the individual who released the information, or if it was generated by a third party, and que information Was Then by Obtained the individual who released it.
No comments:
Post a Comment