12 comments

[ 3.0 ms ] story [ 15.2 ms ] thread
The main thing I wanted to know is how they got hacked:

Troia said the intrusion into his service [was] because his developer accidentally left his credentials exposed in documents explaining how customers can use Data Viper’s application programming interface. “I will say the irony of how they got in is absolutely amazing,” Troia said.

Back door, or front door
Sounds like piss poor security / opsec.
> Smoke and mirrors, indeed. It’s entirely possible this incident is an elaborate and cynical PR stunt by Troia to somehow spring a trap on the bad guys.

That’s the juicy bit of the story. Has this all been staged?

Who has the magnet link
I had a look at some of the data posted about this leak between reporters and researchers. A few highlights:

1. The FBI does appear to have been a subscriber to Mr. Troia's services. Two FBI emails to agents appear among the list of subscribers that is not very big. Also Europol, Amazon, and the Dubai Police also appear...

2. The MGM Grand appears to have grossly understated the amount of users who were hacked in the 2019 breach. This hacker is claiming well over 100 million, instead of the 10 million or so MGM claims.

3. The most relevant paragraph I think is the below:

> DataViper contained several undisclosed breaches . MGM Grand Hotels is included in the dataset with 142 million entries and was imported by Vinny on November 30th 2019 . This number is very different to the 10.7 million number that they stated were affected [1] . This indicates that MGM knowingly misreported information regarding this data breach and that Vinny is aware of this misrepresentation . FiveStars is another data breach that is in DataViper but not publicly disclosed . It was imported in November 2019 . It is unclear where it was reported to them and they failed to notify their users or if Vinny did not notify FiveStars . The same is true of Zumiez.com (160 million), Avito.ru (30 million), Mamba.ru (13 million), MyVestige.com (11 million), LocateFamily.com (11 million), and others .

4. I forked the entire list of domains hacked, provided by the original reporter I believe at ZDNet, to here: https://gist.github.com/danvau7/337b0ac71db8c7298e712ed5ba3a...

5. Vinny Troia claims a PhD, but it comes from the not very well respected / for-profit "Capella University" in the United States.

That list has some big names on it.

> Troia said the people responsible for compromising his site are the same people who hacked the databases they are now selling on the dark web and claiming to have obtained exclusively from his service.

So he's saying that these guys successfully compromised all these domains while he watched, but never did anything with the stolen info, waiting to blame it all on an intrusion into his company... in retaliation for him watching them steal it all in the first place?

That's some real Xanatos Gambit stuff right there. Maybe Troia lives in a David Mamet film.

The apparent breach at St. Louis, Mo. based Data Viper offers a cautionary and twisted tale of what can happen when security researchers seeking to gather intelligence about illegal activity online get too close to their prey or lose sight of their purported mission.

Yeah, the discussion of the data the company kept gives the impression that the only difference between Data Viper and a black hat data broker is that Data Viper sold to "vetted" law enforcement and security researchers.

Now, what potential for lawlessness does that give law enforcement?

I pay taxes

Taxes go to FBI/Europol etc

Security services pay these shady data brokers with my taxes to access data

Shady data broker buys hacked data from criminals with my taxes

Cybercriminals live off my taxes.

Cybercriminals hack more sites, selling/leaking my data.

I don't know whether the ends justifies the means here, but it seems really off that our security apparatus pays money to maintain a criminal ecosystem. On the other hand once the data is available it would also be wrong not to use it to catch pedophiles, mafia members, tax evaders, ...

where is the class action against Data Viper
I'm sure my data was in his data breach. I will join the suit