Security researchers have discovered an unsecured database containing millions of login credentials, files and cookies. The database contained data stolen by a mysterious malware strain that spread via pirated software and email. In total, threat actors infected more than 3.25 million computers.
Accidental Discovery of a 1.2TB Data Trove
Nordlocker’s security researchers discovered the stolen database by accident. Apparently, a hacker group didn’t properly hide the database’s location. In partnership with a third-party company, Nordlocker analyzed the data. They also notified the cloud provider hosting the database in order to take it down.
In total, the database contained 1.2 TB of credentials, text files, browser cookies, autofill data and payment information. The stash included 1.1 million unique email addresses and 26 million login credentials. Moreover, there were close to a million images and more than 650,000 Word and .pdf files, most grabbed from desktops and download folders.
Researchers say that the data was extracted between 2018 and 2020. And that there were more than 3 million PC’s involved. “It’s big”, said Nordlocker. “And the victims likely never knew their files had been stolen.” The data on the database was neatly categorized into twelve groups, based on the website type.
Malware Spread via Pirated Software
The massive trove of information had been extracted by a mysterious trojan. According to Nordlocker, this type of custom-made malware can be found all over the dark web. “Anyone can get their own custom malware and even lessons on how to use the stolen data for as little as $100. And custom-made does mean custom-made – advertisers promise that they can build a virus to attack virtually any app the buyer needs.”
The researchers also discovered that the malware spread via illegal software, such as Adobe Photo Shop, as well as Windows cracking tools and pirated games. After the infection, the malware also took a screenshot of the computer and, if possible, a photo via the webcam.
Check Have I Been Pwned
The researchers shared all 1.1 million unique email addresses with the data breach search engine Have I Been Pwned. This search engine allows users to check if their credentials have been stolen in a data breach.
Of the 1.1 million email addresses, 38% were already known to Have I Been Pwned through another data breach. Nordlocker also reported the open database to US-CERT.