Researchers discovered 30 million records belonging to American customers of the Astoria Company, apparently leaked in a data breach. And that is just a fraction of the whole leaked data.
Astoria Company LLC is a lead generation company and lead exchange, connecting consumers with the products and services across multiple industries. The company operates a network of websites collecting information for people that may be looking for discounted car loans, medical insurance, or a payday loan. Collected data is shared with a number of partner sites (such as insurance or loan agencies).
On January 26, 2021, the threat intelligence team at NightLion Security found several databases offered for sale on the Dark0de market by the popular hacking group Shiny Hunters.
The leaked data had 400 million Facebook users, a database with details on Instagram users, and 300 million records of Astoria Company customers. The data of the Astoria Company, some alleged, included 40 million US social security numbers, but the number was later proven to be inflated.
While the exposed records included Name, Email address, Date of Birth, Mobile Phone, Physical Address, and IP Address.
Other details exposed included full bank account information, email transaction logs, and medical history.
Astoria’s data were later put up for sale on dark web forums by a seller that goes by the name “Seller13.”
Nightlion researchers think Seller13 may be a member of ShinyHunters, and believe that Seller 13 is “Yousef,” the original seller of 400 million stolen Facebook accounts offered for sale in 2019.
“At this time it is unclear whether Seller13 is using the ShinyHunters name as a type of misdirection, or if the two actors are actually working together. Our conversations with Seller13 seem to indicate that he and ShinyHunters are working together,” NightLion reported.
The researchers found several web shells and malicious scripts on Astoria’s MortgageLeads.loans domain, including Corex.php and Adminer.php. They also determined that attackers deployed the Corex web shell URL and used a number of other exploit tools, including the adminer.php script.
“Given ShinyHunters’ tendency to hack sites using leaked credentials, our next step was to use the HiddenWWW search engine to look for publicly accessible code with potentially leaked credentials or AWS keys. The HiddenWWW search engine returned a list of potentially vulnerable URLs across a number of different Astoria domains. We then leveraged an OSINT telegram bot to ping each of the URLs and return a list of any that were valid,” the experts explained.
Seller13 explained to Night Lion’s team how the hacker managed to access Astoria’s database:
“Visiting the http://mortgageleads.loans/adminer.php URL, we noticed immediately that the admin credentials for user “adminastoria” were pre-saved, allowing anyone complete access to the database from a public URL — no authentication needed,” the experts said.
Night Lion Security reported to Astoria Company the flaw in their database and after an investigation the company rreported that a “former developer from India” was most likely responsible for intentionally saving the credentials to the site.
