On April 22, 2021, during our routine darkweb monitoring, researchers at Cyble discovered a Threat Actor (TA) posting sensitive Personally Identifiable Information (PII) including 59 million email IDs of US residents on a cybercrime forum called RaidForums.
Figure 1 is a screenshot of the post made by the TA.
The data includes, amongst other things-
- Full name
- Phone numbers
- Email IDs (multiple for a few cases)
- Home address
- Date of Birth
- Number of children
- House price
- Location coordinates
- Political affiliation
- Habits and hobbies
Our research indicated that the TA joined the forum on October 26, 2020, and contributed to 32 other threads. A positive reputation of 2,567 suggests the TA has been considerably active in the forum, with a significant contribution of breached data to the forum.
Figure 2 shows the details of the TA.
This leak includes a total of 250,808,966 lines of data, thereby amounting to a massive 246 gigabytes. Data points available in this leak suggest that the source may have been a marketing/advertisement firm. PII that is essential for the profiling of individuals, such as age, ethnicity, political leaning, income group, and zip code are also part of the extensive dataset.
Figure 3 showcases Unique IDs being used to identify the individuals whose information has been captured in the dataset. The data includes names, addresses, city police jurisdiction, Zip codes, and the latitudes and longitudes of their location.
Figure 4 shows the median income, which is a code for net worth, along with other details such as credit capacity, marital status, whether they have a habit of reading, are they owners of a PC, do they own any other computers or consumer electronics, etc.
Figure 5 showcases the data containing information on whether the people have grandchildren, what is their family religion, whether they are pet owners, if yes- cat or dog, are they veterans, if they contribute to animal or children welfare, what sort of investments do they have, what kind of cooking skills do they possess, and their taste in music and movies.
This breach contains extensive background information and profiles of the individuals affected. The confidential nature of the data involved would imply that there are innumerable ways in which this information can be misused to serve malicious ends.
Cyble has been reporting these breaches to spread awareness of the risks associated with using online services and the growing threats to data security.
We recommend people to:
- Never share personal information, including financial information over the phone, email, or SMSes.
- Use strong passwords and enforce multi-factor authentication where possible.
- Regularly monitor your financial transaction, and if you notice any suspicious transaction, contact your bank immediately.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- People who are concerned about their exposure in the darkweb can register at AmiBreached.com to ascertain their exposure.
Here’s the full headers list of the dataset-
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.