Password information and other personal information from up to 2.2 million users of two websites – one cryptocurrency wallet and the other a gaming bot provider – are available According to Troy Hunt, the security researcher behind the law violation notification service, an online publication was carried out.
A haul contains personal information for up to 1
The person who published the 3.72Gb gateway database indicated that they also has two-factor authentication keys, mnemonics, and wallet hashes, though GateHub officials said an investigation suggested that on wallet hashes was not accessed. The EpicBot database allegedly contained usernames and IP addresses. Hunt said he has selected a representative selection of accounts from both databases to verify the authenticity of the data. All e-mail addresses checked by him were registered in the accounts of both websites.
Another indication that the data in the file belongs to the holders of a GateHub account: This Twitter post . It came from Aashish Koirala, a self-described software developer, who said he had recently received a notice of identity protection from the consumer credit reporting service Experian. Koirala told him that "my credentials for @GateHub have been classified as vulnerable in the Dark Web".
@troyhunt I just received a message from Experian's ID. were found compromised in the dark network. For your information, if you have news about a GateHub breach or a hack.
– Aashish Koirala (@aashishkoirala) November 14, 2019
Although the two landfills contained 2.2 million unique addresses, this is possible. Corresponding password hashes or other data are not included in each.
The gateway account data published on the RaidForums hacker site in late August was hacked three months after the notification of the Cryptocurrency service. The attackers stole a wealth of confidential information for more than 18,000 user accounts, or at least tried to steal it. The text of the post made it unclear which data was successfully retrieved beyond access tokens.
GateHub officials wrote:
As we indicated in our investigation update, we believe the offender gained unauthorized access to a database of valid access tokens from our customers. With these tokens, the culprit has accessed 18,473 encrypted customer accounts, a very small portion of our total user base. Targeted accounts are targeted for the following data: email addresses, hashed passwords, hashed recovery keys, secret keys for XRP encrypted ledger wallets (unencrypted wallets only), first name (if specified), last name (if specified).  GateHub's disclosure further indicated that Site employees notified users whose accounts were accessed and provided new encryption keys and newly encrypted sensitive information, such as: Secret keys for the ledger wallet.
The publication of the database means the violation of the wallet The service published in July was much larger than previously thought. Instead of receiving only access tokens, the attackers also took 2FA keys, email addresses, password hashes, mnemonic phrases, and possibly wallet hashes. In addition, the breach involved 1.4 million GateHub users, not just the 18,473 mentioned in the release. In an e-mail, an unnamed member of the GateHub security team wrote:
We know of a database published on RaidForums whose author claims to be part of GateHub. The alleged GateHub database is currently under scrutiny by our team. Therefore, we can not confirm their authenticity at the moment. We will make sure that you are kept up to date on all updates.
As far as we have gathered so far, it does not contain wallet hashes. As already mentioned, we are still checking the authenticity.
One of our first reactions to the cyber attack was the introduction of a re-encryption for all GateHub accounts. With the new re-encryption, all GateHub accounts have been re-encrypted and all our customers have had to change their passwords. This was introduced in July 2019.
The statement did not explain why the investigation failed to verify the authenticity of the data 25 days after it was published and four months after it was first accessed. It was also not clear what exactly officials meant by "re-encrypted".
"There is evidence of PGP [in the database]," Hunt said. "There are seemingly PGP-encrypted strings, I'm not sure if they were made that way, are they talking about spinning cryptographic hashes, or about this section of PGP referring to the wallet?"
Changing Passwords, Memories, etc.
The EpicBot leak was posted on the Raid Forum on October 25, the same day as the GateHub dump. Hunt said it contains about 800,000 unique email addresses, along with usernames, IP addresses and encrypted passwords. EpicBot officials did not respond to the request to comment on this post. I could not find any evidence of a violation on the EpicBot website.
The use of the bcrypt hashing function by both sites is encouraging provided it has been implemented correctly. Bcrypt is so computationally intensive that it takes years for even powerful clusters of graphics cards to crack all passwords. Of course, the insecure provision of bcrypt is easy. For example, programming errors on Ashley Madison's website made it trivial to crack more than 11 million of the 36 million bcrypt hashes that leaked in the 2015 hack website.
Sharing other types of personal information for up to 2.2 million accounts is less admirable, especially as there is little evidence that all affected users have been notified in good time. EpicBot users should change their passwords as soon as possible. GateHub users do not need to reset the password due to the mandatory change in July. However, mnemonic expressions should be replaced unless already done.
To ward off the growing threat of credential attacks, users on both sites should also change the passwords for all other sites that use the spoofed credentials. Users should also be aware of spear phishing and other attacks that use their personal information.