Ask.FM Database With 350 Million User Records Allegedly Sold Online (cybernews.com) 8
A listing on a popular hacker forum offers 350 million Ask.FM user records for sale in what might be one of the biggest breaches of all time. Cybernews reports: The listing allegedly includes 350 million Ask.FM user records, with the threat actor also offering 607 repositories plus their Gitlab, Jira, and Confluence databases. Ask.FM is a question and answer network launched in June 2010, with over 215 million registered users. The posting also includes a list of repositories, sample git, and sample user data, as well as mentions of the fields in the database: user_id, username, mail, hash, salt, fbid, twitterid, vkid, fbuid, iguid. It appears that Ask.FM is using the weak hashing algorithm SHA1 for passwords, putting them at risk of being cracked and exposed to threat actors.
In response to DataBreaches, the user who posted the database -- Data -- explained that initial access was gained via a vulnerability in Safety Center. The server was first accessed in 2019, and the database was obtained on 2020-03-14. Data also suggested that Ask.FM knew about the breach as early as back in 2020. While the breach has not been confirmed, the seller called "Data" says he will "vouch all day and night for" listed user data from Ask.FM (ASKfm), the social networking site. "I'm selling the users database of Ask.fm and ask.com," Data wrote. "For connoisseurs, you can also get 607 repositories plus their Gitlab, Jira, Confluence databases."
In response to DataBreaches, the user who posted the database -- Data -- explained that initial access was gained via a vulnerability in Safety Center. The server was first accessed in 2019, and the database was obtained on 2020-03-14. Data also suggested that Ask.FM knew about the breach as early as back in 2020. While the breach has not been confirmed, the seller called "Data" says he will "vouch all day and night for" listed user data from Ask.FM (ASKfm), the social networking site. "I'm selling the users database of Ask.fm and ask.com," Data wrote. "For connoisseurs, you can also get 607 repositories plus their Gitlab, Jira, Confluence databases."
Re: (Score:3)
Same here. I was like, "the biggest data heist in history? But WTF is ASK.fm???"
fbid, twitterid? (Score:2)
Why would a subscriber pass that info on when registering?
Re: (Score:2)
For some reason, people just love freely giving away all sorts of unnecessary information about themselves.
3rd-party identity providers (Score:2)
OAuth single sign-on login flow. "Sign in with Twitter" / "Sign in with Facebook". Ask.FM needs to have a record of which 3rd-party identity provider user is linked to an Ask.FM account.
On the plus side, if they're using an OAuth flow to sign in with Twitter/FB... Ask.FM doesn't necessarily have a password for them to begin with, and the entire point is that Ask.FM doesn't get access to any user attributes beyond what is explicitly released as part of the login transaction.
Also applies in this case with i
Re: (Score:2)
Now, kindly remove yourself from my yard,
Sold? (Score:2)