BreachExchange mailing list archives
SQL Injection Leads To BigMoneyJobs.com Leak
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 4 Apr 2014 09:16:30 -0600
https://www.riskbasedsecurity.com/2014/04/sql-injection-leads-to-bigmoneyjobs-com-leak/ Earlier today, a hacker identified as ProbablyOnion (who recently breached Boxee.tv) has posted data from a large job seeker website resulting in over 36,000 accounts being published online. The website BigMoneyJobs.com is a large hub for job seekers and employers looking to hire them. The breach was announced over Twitter and posted to the hacker's hidden TOR service as a 5.94MB Excel spreadsheet that contains all of the members from the website's database. The leaked data contains personally identifiable information (PII) including full names, home addresses, phone numbers, email addresses, website registration information, and plaintext passwords totaling 36,802 members. The passwords from the leak would allow anyone to instantly login to the site's user interface. Based on a quick analysis of the passwords, it is clear that the system allows passwords that do not meet any accepted complexity or strength requirements, meaning some passwords match the user's first or last names exactly, or are simple numerical combinations (e.g. 12345). Based on conversations in online forums, the 'members' table of the database apparently contains both employees and employers credentials, and that the breach was carried out via a basic SQL injection attack. We have created a DataLossDB incident as well as added the incident to Cyber Risk Analytics and also reached out to BigMoneyJobs for comment, but have not received a reply at the time of this posting.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- SQL Injection Leads To BigMoneyJobs.com Leak Audrey McNeil (Apr 14)