Doxbin Leak Includes Criminals' Data, Could Boost HackingInternal Conflict Caused Leak of Hacker Data, Owners of Darkweb Forum Say
Threat actors who use data-sharing website Doxbin have had passwords, decryptor keys, multi-factor authentication codes and stealer logs leaked online, according to security experts. Hackers routinely use Doxbin to dump their victims' personally identifiable information.
The leaked data, available for free on darknet forum RaidForums, includes personally identifiable information of an undisclosed number of Doxbin users - both hackers and their victims - according to information collated from threat intelligence firm Cyble and independent researcher and threat hunter Troy Hunt.
This incident appears to be different from previously observed data dumps, as the leaked data includes highly sensitive information such as plaintext passwords, multifactor authentication codes, stealer logs and chat history belonging to known threat actors.
As of Jan. 8, 380,000 email addresses across user accounts and doxes breached were shared online, according to a tweet by Hunt, who is the founder of the data leak tracking website Have I Been Pwned.
New sensitive breach: The "doxing" website Doxbin had 380k email addresses across user accounts and doxes breached and shared online this week. Extensive personal information in doxes was also exposed. 27% were already in @haveibeenpwned. Read more: https://t.co/bkFyrWCxMj— Have I Been Pwned (@haveibeenpwned) January 8, 2022
At last count on Thursday, Cyble estimates that more than 700,000 email addresses were leaked. The exposed information includes identities of the threat actors' family members, IP addresses and geolocation, the Cyble report says.
The doxed information includes critical, work-related information that may be exploited to carry out phishing attacks, Cyble says. It warns that there might be a spike in malicious activities, such as identity theft, because of the leak.
Significance to Threat Actors
Based on the dark web chatter observed by Cyble, it appears that the leaked dox contains information that can augment or corroborate law enforcement agencies' investigative work, says Dhanalakshmi PK, senior director of malware and intelligence research at the company.
Asked if the leaked information could help law enforcement agencies track down threat actors, Dhanalakshmi says that the leaked information could be aliases used by threat actors and thus may not be genuine. But she says, it could aid authorities in verifying information about the threat actors.
Dhanalakshmi tells Information Security Media Group that the leak may affect the activities of reputed threat actors such as Pompompurin and Omnipotent. The latter is the admin of RaidForums.
Other threat actors, she adds, may use the leaked data to their own advantage. Take stealer logs, for instance: A stealer is a Trojan used by threat actors to gather information from its victims' systems. It allows cybercriminals to quickly search through massive amounts of data.
Cyble's report contains a snapshot of the leaked information and shows how one victim was infected with a mercurial grabber - a stealer used by ransomware groups.
"We have observed instances where forums implode and give out information about administrators and moderators of the said forum. These forums also compete for user time and retention," Dhanalakshmi says.
This isn't a new phenomenon. In August 2021, an insider obtained leaked data about the Conti ransomware group, after a falling out. At the time, Sophos researchers said that the data leak "didn't really amount to much," because ransomware-as-a-service groups tend to keep details about decryption keys and blackmail payments to themselves.
Sophos added that the leak wouldn't help ransomware victims decrypt scrambled files, as the decryption keys were not exposed. The Doxbin data leak, however, does include decryption keys.
An Act of Retribution?
KT and Brenton call themselves the owners and administrators of Doxbin in a note published on the company's website that offers an explanation for the source of the leak.
The note says that Doxbin was sold to 16-year old user Arion Kurtaj, aka "White," in November 2021. But since he could not make significant progress with the platform, he put Doxbin up for sale and was offered a deal by Brenton and KT.
After the deal, White was "demoted from the community Discord server as he was not part of the project anymore," the note says. This caused White to steal the community Discord, take back controls, and eventually leak the user database in an act of retribution, the note says.
Following the disclosure, Doxbin's new owners realized that White had altered the source code to log any login attempts made in plaintext.
The administrators have warned users that anyone who logged in between Nov. 9, 2021, and Jan. 4, 2022, was at risk of having their Doxbin passwords logged in plaintext.
KT and Brenton say that the leaked data contains critically important pieces of information, such as Bcrypt hashed passwords, blacklist information and two-factor authentication secret codes.
Doxbin's administrators admit that the compromised information is a serious issue and will have a "heavy impact" on its reputation.