The ‘START’ (start.ru) website, a Russian media streaming platform, has verified reports of a massive customer data breach. The platform’s administrators said that hackers broke inside their network, stole a database for the year 2021, and are currently spreading samples online.
Email, phone, and username information were taken from the database. Given that it cannot be exploited to take over accounts, START describes it as boring to most cyber criminals. Because these facts weren’t in the database, no financial information, bank card information, surfing history, or user passwords were affected.
“We have already fixed the vulnerability, and access to our data is closed,” mentions the statement on Telegram. START does not mandate a global reset, although all users are advised to update their passwords.
On August 28, Sunday, when a 72GB MongoDB JSON dump holding data on over 44 million users started to circulate via a social network, the first reports of a START data breach surfaced. Numerous items in this list relate to testing accounts. However, 7,455,926 separate email addresses are contained in the dump, which is probably close to the actual number of exposed users. Users registered with the service after September 22, 2021, are unaffected because the records are up to current as of that date.
According to the Russian news outlet Medusa, the password recovery tool for START was used to test random entries from the compromised database, and all logins were successful. One difference between START’s announcement and the leaked dump is that the latter includes information that has not been published in the platform’s official statement, such as md5crypt-hashed passwords, IP addresses, login logs, and subscription details.
The growing cyber-offensive activity against Russian internet platforms has prompted Moscow to put in place measures to protect its citizens’ data from exposure and to prevent unauthorized access to user data. According to a Kommersant report from last week, the Ministry of Digital Development is supporting a scheme to compile a list of “unacceptable IT security practices” in an effort to educate business executives.
The same ministry suggested establishing a fund earlier this month that would be used to compensate victims of database breaches. Penalties would support the fund levied on the organizations in charge of the security breaches. The proposed regulation calls for a fine of 3% of the company whose security was compromised to encourage businesses to create and implement robust security measures.