On September 3rd, 2020 Twitter confirmed that the personal Twitter account of Narendra Modi, India’s Prime Minister, was hacked. This was followed by a series of tweets from the account asking followers to donate to the PM’s National Relief Fund via Cryptocurrency. Corresponding to similar cyber threat attacks in July on Joe Biden and Tesla founder Elon Musk, this is undoubtedly the latest high-profile Twitter security breach posing a great threat to personal privacy.
Cyble subsequently investigated the threat and noted that the breach was due to an account linked to the website of narendramodi.in. On September 3, Cyble notified CERT-India that the Twitter account was compromised through the website’s configuration (example access_token) linked with Twitter. At that point of time, Cyble wasn’t aware of the impact of the breach, however, we suspected that the threat actor/s may have accessed other files or potential databases.
On October 10, Cyble was tipped off that the database of the website is available in the darkweb. Subsequently, Cyble acquired and analyzed the data leak, which includes multiple databases. Cyble’s having gained exclusive access to the leaked data is a mark of the company’s solid relationship with the web community and its proven methodology for identifying, classifying, and maintaining sensitive data. Among the databases leaked, ‘cctransactions’ and ‘users’ contain a substantial amount of Personally Identifiable Information (PII) data belonging to the Prime Minister’s followers.
There is a high possibility of the data being misused for criminal purposes as it contains personal details of over 570,000 users. This includes PIIs such as Name, Email ID, contact information, etc.
Another database which is part of the data leaked showcases details of the financial transaction made by donors for contributing to the fund. This includes non-public data such as bank_ref_no, payment_mode, etc. We estimate that out of 574K users listed on the database, over 292K of them appears to have made donations to the concerned website only.
Our analysis further suggests that it includes donations or microdonations for a variety of causes such as COVID-19 Relief, supporting the political party, and other initiatives, e.g. Swachh Bharat.
It is important to note that multiple such databases may have been extracted from AWS-hosted instances and related to subdomains.
With such a large repository of unauthorized personal information of Indian citizens, the data has a potential for being misused for malpractices such as Phishing Emails, Spam Text Messages, etc.
At this point in time, Cyble suspects that the threat actor/s may have accessed other documents and files (per above screenshot).
Cyble has indexed this information and is available on AmiBreached.com. Individuals are encouraged to register on Cyble’s AmiBreached.com platform to ascertain the risks and gauge the extent of the information exposure suffered. Also, Android users (Link) and iOS users (Link) can gain full (and free) access to AmiBreached platform by downloading the mobile application.
Below are some of the safe practices we highly recommend people to follow for protecting their information in the risky cyber threat landscape:
- Never share personal information, including financial information over the phone, email or SMS.
- Use strong passwords and enforce multi-factor authentication where possible.
- Regularly monitor your financial transactions and if you notice any suspicious transactions, contact your bank immediately.
- Turn-on the automatic software update feature on your computer, mobile, and other connected devices where possible and pragmatic to minimize the chances of hacking.
- Use a reputed anti-virus and internet security software package on your connected devices including PC, laptop, and mobile.
- People who are concerned about their exposure in the darkweb can register at AmiBreached.com to ascertain their exposure.
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.io.