The story of the attack on apricot is like a good Venezuelan telenovela. It started with an innocent suspicion that something was wrong. At first she denied it. Then she stopped denying and strangely quiet, crying after a few days in public. And in the background there was extortion, big money and premature statements, which then had to be cleaned up with considerable embarrassment. A is not the end because the great tragedy seems to continue to grow …
Misfortune goes by the pair
Translation from the Venezuelan into ours: Apricot was hacked a month ago and data (about ) 2 million ) customers were stolen. The company worked with the police and talked to the burglar, but after an unsuccessful attempt to locate the hacker, the company decided to inform customers about the theft of their data. In retaliation, the burglar decided not only to describe how he had stolen, but also how the negotiations looked and that ̵
350,000 passwords have already been broken.
It is known – burglary and a data loss of 2 million users is not easy . If the company praises for not burying its head in the sand (and you can even understand that the leak was bigger and also covered the data on the identity cards), then Apricot is rightfully criticized . did not immediately reset the password to the customers' accounts .
Why is such a reset necessary for data loss? Because the hashes of passwords break. The burglar revealed that was "broken" over 350,000 terms (and this on December 20 …):
No password reset allowed the attacker:
- 1. Access to the accounts of victims whose passwords were weak (because, as you can see, weak passwords are broken first) and possible additions to the victims of this data that the burglar might not be able to steal.
- . 2 Verify that the victim has also created accounts on other websites (eg, Facebook, e-mail, game pages, auction portals) to the email address provided in Morele. If the password was the same, the burglar could get to the victim's next account and steal more data about him, but also use that account for Fraud, Fraud or Theft (depending on service) , We know of several such attempts.
That's why it pays to use password managers. If the base is leaking at a certain point, point 2 above does not apply to you.
There is something more …
Shortly after our article in which we informed about the message Morele sent to "Victims", to the reader Wiktor, who received the message from Morele, though the account in the store had more than deleted half a year ago (using the rights granted to him by the RODO).
However, the reader received a message about the theft of his data by e-mail but not to the address given by Morele and to: 
USUNIETY_ab1ef185e0 @ wiktor. [nazwisko-wiktora] .com
It may be suspected on this basis that Apricot does not delete all data relating to its users they wanted to erase their data have been "only" marked by adding the prefix DELETED
How many people like Victor were in the apricot base at the time of the theft?
And this number has at least given us burglars when we asked him how many e-mail addresses he got from this prefix.
In the case of non-end-deleted data customers we tried to contact Morele for 7 days, but we have not received any response to this issue to date. If we receive it someday, we will update this article.
We would finish this text with the default sentence:
It is hoped that the wrong deletion of data was done only for the email address and the remaining information of the persons who have deleted their accounts from theft, The burglary time was not in the database.
… but everything seems to indicate that the hope in this case would be in vain. Victor's experiment proves that.
Victor's deleted data was read by the Morele servers
. Wiktor decided to "fetch" the password for this weird email address, to which he received the message from Morele … and he succeeded. And after logging in, he saw all his "quasi-deleted" personal information.
So everything indicates that apricots are being erased rather than inappropriately. "Block access to an account to change the user who wanted to use the rights granted to it by the Personal Data Protection Ordinance The email address is" unpredictable. "
Sorry such blockage seems to be doubly problematic. Once, users with their own domain and mechanism catch-all can recover their "deleted" account, and secondly, the thief can receive data in theft What you should not …
Not just apricots …
Apricot is unfortunately not the only service that "erases" users' records in this way Experiences with Infopraca where the account "Deleted" receives the prefix "xxx" in front of the e-mail address, but at least "Password" can not be "recalled".
We will add another story When analyzing the database that a large, well-known Internet service lost, it turned out that many users of this site have a specific, rather complicated password. It sounded as follows:
We will not tell you what the service is, but probably many of you have an account there too;) If you ever locked your account on a website because you did not register in time, for example, because of service fees you already know what;)
PS. As you build applications to minimize the risk of data leakage and how they are detected when they occur, we'll let you know about Attack and Web Application Protection training. Every programmer should participate. The opinions of the participants can be found here. The next dates of this training in different cities can be found here
DELETED_PS. This paragraph does not exist, it was deleted at the request of the user.