<div dir="ltr"><a href="https://www.riskbasedsecurity.com/2016/12/kapustkiy-the-17-year-old-man-the-myth-the-motivations/">https://www.riskbasedsecurity.com/2016/12/kapustkiy-the-17-year-old-man-the-myth-the-motivations/</a><br><p><span style="font-weight:400">A few months ago an individual using the handle </span><a href="https://twitter.com/Kapustkiy" target="_blank"><span style="font-weight:400">Kapustkiy</span></a><span style="font-weight:400">
kicked off a spree of data breaches focused mostly on government
websites from around the world. The first incident was published close
to two months ago on November 6th, when Kapustkiy announced a leak of
data coming from seven Indian embassies located in various different
countries. Since that time, there have been an additional 13 data leaks
from government services – mainly embassies and or related services –
as well as leaks from various other targets including universities
located around the world; in all impacting 17 different countries from
21 different breaches.</span></p><p><span style="font-weight:400">While this isn’t the first group or
researcher to do something of this nature, piecing together the history
and timeline of events revealed some interesting findings. <a href="https://twitter.com/BiellaColeman/status/808375193794060288" target="_blank">As was mentioned</a> this “hacker is on a roll”, affecting tens of thousands of users with personal information being leaked.</span></p>
<p><b>The Breaches</b></p>
<p><span style="font-weight:400">For the first few breaches, Kapustkiy had assistance from a hacker who uses the name </span><a href="https://twitter.com/Kasimierz_" target="_blank"><span style="font-weight:400">Kasimierz</span></a><span style="font-weight:400">.
Kapustkiy also teamed up with the well known figure CyberZeist for one
of the incidents. CyberZeist has had a presence for many years,
including links to the collective </span><a href="https://en.wikipedia.org/wiki/UGNazi" target="_blank"><span style="font-weight:400">UGNAzi</span></a><span style="font-weight:400"> who have had </span><a href="https://arresttracker.com/" target="_blank"><span style="font-weight:400">various members arrested for hacking and credit card fraud.</span></a><span style="font-weight:400">
CyberZeist recently surfaced on a backup account they reserved almost
four years ago, only to start attacking and leaking data from various
political based targets before teaming up with Kapustkiy to </span><a href="https://www.cyberwarnews.info/2016/11/21/hackers-team-up-hungarian-human-rights-foundation-gets-hacked/" target="_blank"><span style="font-weight:400">breach </span></a><span style="font-weight:400">the Hungarian Human Rights Foundation on the November 21st.</span></p>
<p><span style="font-weight:400">On the November 26th, Kapustkiy
leaked data from the High Commission of Ghana & Fiji in India and
also announced that he had </span><a href="http://securityaffairs.co/wordpress/53783/hacking/kapustkiy-pga.html" target="_blank"><span style="font-weight:400">joined</span></a><span style="font-weight:400"> a group called </span><a href="https://twitter.com/powerfularmygr" target="_blank"><span style="font-weight:400">Powerful Greek Army (PGA)</span></a><span style="font-weight:400">, who has a history of DDoS attacks. At the beginning of August, the website </span><a href="http://securityaffairs.co/wordpress/49901/hacking/hacker-interviews-pga.html" target="_blank"><span style="font-weight:400">Security Affairs spoke with PGA</span></a><span style="font-weight:400">.
In that interview, PGA stated that they were a new team of 7 skilled
hackers and that their motivations were to go after pedophiles and ISIS
supporters. Shortly after joining up with PGA, on the 2nd of December,
Kapustkiy leaked data from the Venezuelan Army website. In the
announcement for that leaks, Kapustkiy stated that he was no longer a
member of PGA. We at Risk Based Security have been in contact with
Kapustkiy and asked him the reason behind leaving PGA, which he stated
it was due to the fact that they lacked skills and he was the only one
contributing.</span></p>
<blockquote><p><span style="font-weight:400">I left them because they were not skilled as a I thought and they were only DDoSing all the time. I did the most work.</span></p></blockquote>
<p><span style="font-weight:400">Not long after leaving PGA, Kapustkiy started work with another group known as </span><a href="https://twitter.com/newworldhacking" target="_blank"><span style="font-weight:400">New World Hackers (NWH)</span></a><span style="font-weight:400">. If that name sounds familiar, its because they </span><a href="http://www.cbsnews.com/news/new-world-hackers-claims-responsibility-internet-disruption-cyberattack/" target="_blank"><span style="font-weight:400">made some very big headlines recently</span></a><span style="font-weight:400"> after claiming</span><a href="http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/" target="_blank"><span style="font-weight:400"> responsibility for the attack on Dyn DNS</span></a><span style="font-weight:400">.
The October DDOS attack against Dyn disrupted service and resulted in a
major Internet outage, impacting popular services such as Twitter,
Netflix and Paypal. On December 7th, NWH was the focus of </span><a href="http://www.zdnet.com/article/these-college-students-were-behind-bbc-trump-cyberattacks/" target="_blank"><span style="font-weight:400">an in depth research article published by Zack Whittaker</span></a><span style="font-weight:400">
of <a href="http://zdnet.com">zdnet.com</a>. The article exposed the identities of the group’s core
members, which did not include Kapustkiy. Kapustkiy explained he only
became a member NWH a week ago, which is why his identity was not
included in the research conducted by Zack.</span></p>
<p><span style="font-weight:400">So who is Kapustkiy? What are the motivations behind all of these breaches?</span></p>
<p><span style="font-weight:400">In a </span><a href="http://motherboard.vice.com/read/hacker-claims-theft-of-thousands-of-passport-numbers-from-russian-consulate" target="_blank"><span style="font-weight:400">recent interview with Motherboard</span></a><span style="font-weight:400">,
Kapustkiy states he is 17 years old. In our interactions with him, he
has described himself a security researcher who is a 17 year old male
and still at school studying IT. When inquiring about the motivations
behind these breaches he gave the following statement:</span></p>
<blockquote><p><span style="font-weight:400">“The main motivation
about that I breach all those websites is to let them understand the
consequence of a databreach and how dangerous it is when you have a bad
security.”</span></p></blockquote>
<p><b>Breach Methods</b></p>
<p><span style="font-weight:400">The method used by Kapustkiy in all
but one of the breaches has been SQL Injection. The one exception was
the Ministry of Industry Argentina, in which he explained he used brute
force against the target. When looking further into the breaches it
becomes clear that there are various common exploits being used on
similar targeted systems, making it possible to pull off so many
intrusions in a short amount of time.</span></p>
<p><a href="http://news.softpedia.com/news/russian-consulate-hacked-passport-numbers-and-personal-information-stolen-510928.shtml" target="_blank"><span style="font-weight:400">Kapustkiy disclosed to Softpedia some additional details</span></a><span style="font-weight:400">
about the breach to the Consular Department of the Embassy of the
Russian Federation in the Netherlands. He explained that he was able to
breach the website using a specific method. He shared that he was then
able to hack the Russian National Visa Bureau website using the exact
same vulnerability and hosted on the same server. This is a significant
discovery as the system administrator of the Consular Department’s
website had already been made aware of that particular vulnerability.</span></p>
<p><b>Leaked Data</b></p>
<p><span style="font-weight:400">The type of data leaked in each of
the breaches ranges from personal identifiable information (PII) such as
first and last names, home contact numbers to login credentials and
website related information. It is important to note that in each
Kapustkiy breach, he has not provided the entrie obtained data set,
making a conscious decision not to leak certain information to the
general public.</span></p>
<p><span style="font-weight:400">Kapustkiy has been actively speaking with quite a few journalists and in an </span><a href="http://news.softpedia.com/news/kapustkiy-breaks-into-indian-regional-council-server-17-000-users-exposed-510355.shtml" target="_blank"><span style="font-weight:400">interview with Softpedia he claimed that he should by no means be considered a hacker</span></a><span style="font-weight:400">, Rather he is exposing security vulnerabilities to allow administrators to patch them.</span></p>
<blockquote><p><span style="font-weight:400">“I’m a Security
Pentester,” he said. “People think I’m a hacker, but this is not true. I
only try to help most of the time,” he continued.</span></p></blockquote>
<p><span style="font-weight:400">When we interviewed Kapustkiy, we
specifically asked him about his feelings towards the innocent people
who are affected by these breaches. His reply was perhaps not what you
might expect.</span></p>
<blockquote><p><span style="font-weight:400">“I exactly feel bad for them that they can’t trust there security”</span></p></blockquote>
<p><span style="font-weight:400">So far the countries affected by the
data breaches include Switzerland, Italy, Romania, Mali, South Africa,
Libya, Malawi, India, United States, Ghana, Fiji, Argentina, Venezuela,
the Netherlands, Russia, Slovakia and China.</span></p>
<p><b>Coordination Disclosure Attempts?</b></p>
<p><span style="font-weight:400">In several of the interviews that
Kapustkiy has conducted, he routinely mentions that he is a security
pentester or security researcher, indicating that he believes that he is
one of the good guys and that his intention is to help companies
improve. Many in the security industry as well as the organizations that
have been breached would disagree that Kapustkiy’s approach is a
positive one.</span></p>
<p><span style="font-weight:400">As for referring to himself as a
pentester – anyone that is currently employed as a professional
pentester knows there are rules for such engagements that must be
followed. First and foremost among them being the target organization
must grant their permission for the test to occur. From there, the scope
of work should be clearly defined before testing gets underway and most
importantly, always have the “get out of jail free” card to show that
this work has been approved as to avoid tangling with the wrong side of
the law. Kapustkiy has not been working within these rules and
structure.</span></p>
<p><span style="font-weight:400">He also mentions that he contacts
companies in order ensure they are notified and can fix the
vulnerabilities that he finds. From the interviews he has conducted thus
far and the timelines of the breaches, it does appear that he is in
fact contacting the impacted organizations. However, it doesn’t seem to
be a long or reasonable window as it appears he waits only a few days
for a response before leading data (and it is clear some of the contacts
are occurring on a weekend).</span></p>
<p><span style="font-weight:400">And just like that, the </span><a href="https://www.riskbasedsecurity.com/2016/08/uncoordinated-vulnerability-disclosure-causing-heart-palpitations-for-st-jude-medical-shareholders/" target="_blank"><span style="font-weight:400">vulnerability disclosure</span></a> <a href="https://www.riskbasedsecurity.com/2016/10/help-us-tell-telly-that-they-have-exposed-8m-subscribers/" target="_blank"><span style="font-weight:400">debate</span></a><span style="font-weight:400"> is a topic that we are covering yet again.</span></p>
<p><span style="font-weight:400">Even with the concerns in
coordination, there are some that are seemingly thankful for his work.
One the data breaches on an Indian embassy resulted in the government
thanking Kapustkiy for discovering the breach – despite the fact he had
to leak data to get their attention since all earlier communication
attempts had failed. This type of complaint isn’t an uncommon one by any
means. Security researchers and hackers alike can feel ignored and for
good reason. Anyone that has tried getting an organization to respond to
an unsolicited security alert knows just how unreceptive – or even
hostile – companies can be. Kapustkiy has provided Risk Based Security
with three screen captures that show three different countries’
governments are actually responding to his email notifications.</span></p>
<p><img class="gmail-aligncenter gmail-size-full gmail-wp-image-3655" src="https://www.riskbasedsecurity.com/wp-content/uploads/2016/12/Kapustkiy-ScreenCaps.png" alt="" height="547" width="933"></p>
<p><b>Lessons Learned</b></p>
<p><span style="font-weight:400">First, the single biggest lesson we
hope will finally be learned once and for all is that security is
important and every organization must take the risks seriously. Yes,
security is hard and getting it “right” is complicated, but difficulty
doesn’t excuse ignoring security shortcomings. Each year since Risk
Based Security’s founding we have ended the year with some snippet about
how “this year has been the worst year on record for breaches”. Sadly
2016 is no exception, </span><a href="https://www.cyberriskanalytics.com/" target="_blank"><span style="font-weight:400">with over 4.2B records exposed.</span></a></p>
<p><span style="font-weight:400">It should be apparent that it is VERY
important to clearly communicate how self identified pentesters and
researchers who are trying to “help you” should communicate with your
organization. Here are some lessons for organizations wanting to avoid a
similar data breach fate:</span></p>
<ul><li style="font-weight:400"><span style="font-weight:400">Have a security contact clearly listed on your website</span></li><li style="font-weight:400"><span style="font-weight:400">Explain the process for responding to reports and the expected timeline for a response</span></li><li style="font-weight:400"><span style="font-weight:400">Understand
that right or wrong, ethical or not in your view, researchers expect to
be taken seriously and want a reply almost immediately</span></li><li style="font-weight:400"><span style="font-weight:400">If you do
not engage or reply to a researcher, they will most most likely publicly
disclose the issue pointing out not only the problem they have
discovered but also the lack of response from the responsible
organization</span></li><li style="font-weight:400"><span style="font-weight:400">Ensure your security contact method (email or other) is consistently monitored, even after hours, over weekends and holidays</span>
<ul><li style="font-weight:400"><span style="font-weight:400">If you can’t staff it properly, get help or a engage a service provider</span></li></ul>
</li></ul>
<ul><li style="font-weight:400"><span style="font-weight:400">Consider implementing a Bug Bounty program as part of your security program</span>
<ul><li style="font-weight:400"><span style="font-weight:400">While not
the holy grail of security, it goes a long way to engage and help to
manage the disclosure process when issues are found on your systems</span></li></ul>
</li></ul>
<p><span style="font-weight:400">Here are some thoughts for aspiring pentesters, that exploit live systems without permission and leak data:</span></p>
<ul><ul><li style="font-weight:400"><span style="font-weight:400">Understand that what you are doing is illegal and can result in law enforcement taking action</span></li><li style="font-weight:400"><span style="font-weight:400">Understand
the reasons motivating your actions, while they may be admiral and
well-intentioned, it will not make you any less vulnerable to the legal
ramification of your actions</span></li><li style="font-weight:400"><span style="font-weight:400">Consider using your skills in a more directed manner and make some money with Bug Bounties</span>
<ul><li style="font-weight:400"><a href="https://www.youtube.com/watch?v=759ZalgD1vg" target="_blank"><span style="font-weight:400">Watch a DEF CON video</span></a><span style="font-weight:400"> from Carsten Eiram and Jake Kouns to learn more</span></li></ul>
</li><li style="font-weight:400"><span style="font-weight:400">Understand that there is a great career waiting for you in the security industry and </span><i><span style="font-weight:400">you are needed</span></i><span style="font-weight:400">! A criminal record might put an end to that career before it can truly take off.</span></li></ul></ul>
<p><span style="font-weight:400">We did not ask Kapustkiy whether he
was participating in Bug Bounty programs or would consider this option.
It does seem to be a good outlet given his skills and the fact that most
17 year olds in school could use the money these programs provide. In
doing a quick search, we have found that Kapustkiy just might have had
the same idea recently. We found that as of December 10, 2016 he </span><a href="https://hackerone.com/kapustkiy/badges" target="_blank"><span style="font-weight:400">setup an account on the HackerOne platform</span></a><span style="font-weight:400">.</span></p>
<p><img class="gmail-aligncenter gmail-size-full gmail-wp-image-3649" src="https://www.riskbasedsecurity.com/wp-content/uploads/2016/12/Kapustkiy-H1.png" alt="" height="401" width="760"><br>
<span style="font-weight:400">While he doesn’t have any badges or
results to show yet through the platform, we plan on following his work
here as well. HackerOne is either going to make him a lot of money at
the rate he is going, or get him busted if he provided any personal
details that can be tracked. </span></p>
<p><span style="font-weight:400">At time of interviewing Kapustkiy, </span><a href="https://twitter.com/Kapustkiy/status/811897146018566144" target="_blank"><span style="font-weight:400">he posted on Twitter another breach</span></a><span style="font-weight:400">, this time to the Costa Rica Embassy in China and provided a screen capture showing that the website was offline.</span></p>
<p><span style="font-weight:400">Following breach activity from actors
such as Kapustkiy can be extremely tricky. Many times leaks that are
published are quickly removed or the content is made private shortly
after the original announcements. But we at Risk Based Security continue
to keep our eyes open and our ears to the ground, tracking everything
that we can to better understand how breaches are occurring, predict
their likelihood and ensure they can be avoided!</span></p>
<p><span style="font-weight:400">Based on a recent Tweet, we might not have to wait to long before we have more breaches to analyze from Kapustkiy.</span></p>
<p><img class="gmail-aligncenter gmail-size-full gmail-wp-image-3648" src="https://www.riskbasedsecurity.com/wp-content/uploads/2016/12/Kapustkiy-BigThings.png" alt="" height="223" width="544"></p>
<p><b>Breach Timeline</b></p>
<b>Date</b>
<b>Description</b>
<b>Data Impacted</b>
<b>Countries Affected</b>
<b>Motivation</b>
<b>Method</b>
<a href="http://thehackernews.com/2016/11/indian-embassy-hacked.html" target="_blank"><span style="font-weight:400">November 06, 2016</span><span style="font-weight:400"><br>
</span></a>
<span style="font-weight:400">Indian embassy websites in seven different countries</span>
<span style="font-weight:400">Data includes full name, residential address, email address, passport number and phone number, of Indian citizens living abroad</span>
<p> </p>
<span style="font-weight:400">Affected countries: Switzerland, Italy, Romania, Mali, South Africa, Libya, and Malawi</span>
<span style="font-weight:400">“We did it because their security
was poor, and several domains related to the Indian Embassy had the same
vulnerability. This proves that a lot of people can not trust the
“Embassy.” We hope that this problem will be fixed in the future.”</span>
<span style="font-weight:400">SQLi</span>
<a href="http://securityaffairs.co/wordpress/53329/data-breach/paraguay-embassy.html" target="_blank"><span style="font-weight:400">November 11, 2016</span></a>
<span style="font-weight:400">Paraguay Embassy of Taiwan (<a href="http://www.embapartwroc.com.tw">www.embapartwroc.com.tw</a>)</span>
<p> </p>
<p> </p>
<span style="font-weight:400">Real names, phone, numbers, and emails of the users, emails of employees</span>
<span style="font-weight:400">?</span>
<span style="font-weight:400">Poor Security</span>
<span style="font-weight:400">SQLi</span>
<a href="http://www.ehackingnews.com/2016/11/indian-embassy-website-in-new-york.html" target="_blank"><span style="font-weight:400">November 11, 2016</span></a>
<span style="font-weight:400">Indian Embassy in New York</span>
<span style="font-weight:400">Over 7,000 (but not all published
due to personal identifiable information) individuals first name, last
name, email-id, and mobile number</span>
<p> </p>
<span style="font-weight:400">USA</span>
<span style="font-weight:400">“I’m tired to report all the errors
that I find in a there website that I decided to breach them, NOW FIX
YOUR SECURITY F***** ADMINS!”</span>
<p> </p>
<span style="font-weight:400">SQLi</span>
<a href="http://www.ehackingnews.com/2016/11/virgina-and-wisconsin-universitys.html" target="_blank"><span style="font-weight:400">November 12, 2016</span></a>
<p> </p>
<span style="font-weight:400">Virginia and Wisconsin University’s</span>
<p><span style="font-weight:400">ECE Engineering department (<a href="http://www.ece.virginia.edu">www.ece.virginia.edu</a>)</span><span style="font-weight:400"><br>
</span><span style="font-weight:400">MEMS laboratory (<a href="http://www.mems.ece.vt.edu">www.mems.ece.vt.edu</a>)</span><span style="font-weight:400"><br>
</span><span style="font-weight:400">Wisconsin University’s e-library </span></p>
<span style="font-weight:400">First name, last name, phone number,
city, and zip code, unique identification number of the students, their
login number, password, email-id, access, and name</span>
<span style="font-weight:400">USA</span>
<span style="font-weight:400">“For ignoring me they don’t reply to my emails”</span>
<span style="font-weight:400">SQLi</span>
<a href="http://news.softpedia.com/news/hacker-breaks-into-italian-government-website-45-000-users-exposed-510332.shtml" target="_blank"><span style="font-weight:400">November 18, 2016</span></a>
<span style="font-weight:400">Italian government</span>
<span style="font-weight:400">45,000 total with 9,000 leaked login credentials</span>
<p> </p>
<span style="font-weight:400">Italy</span>
<span style="font-weight:400">“I did not get any response from
them. I hope that they will look in the database now after this breach
and make their security better,”</span>
<span style="font-weight:400">SQLi</span>
<a href="http://news.softpedia.com/news/kapustkiy-breaks-into-indian-regional-council-server-17-000-users-exposed-510355.shtml" target="_blank"><span style="font-weight:400">November 20, 2016</span></a>
<span style="font-weight:400">Eastern Indian Regional Council</span>
<span style="font-weight:400">17,000 total but only 2,000 leaked</span>
<p><span style="font-weight:400">membership numbers, names, passwords, and email addresses</span></p>
<span style="font-weight:400">India</span>
<span style="font-weight:400">?</span>
<span style="font-weight:400">SQLi</span>
<a href="http://news.softpedia.com/news/human-rights-foundation-website-hacked-thousands-of-accounts-exposed-510384.shtml" target="_blank"><span style="font-weight:400">November 21, 2016</span></a>
<span style="font-weight:400">Hungarian Human Rights Foundation</span><span style="font-weight:400"><br>
</span>
<div>
<p> </p>
</div>
<span style="font-weight:400">personal information, including phone numbers and home addresses.</span><span style="font-weight:400"><br>
</span><span style="font-weight:400">count: 20,000 </span>
<span style="font-weight:400">Hungary</span>
<span style="font-weight:400">?</span>
<span style="font-weight:400">SQLi</span>
<a href="http://news.softpedia.com/news/powerful-greek-army-hacker-breaches-high-commission-websites-in-india-510519.shtml" target="_blank"><span style="font-weight:400">November 26, 2016</span></a>
<span style="font-weight:400">High Commission of Ghana</span>
<p><span style="font-weight:400">High Commission of Fiji</span></p>
<span style="font-weight:400">200 credentials</span>
<span style="font-weight:400">India, Fiji, Ghana</span>
<span style="font-weight:400">“after local authorities failed to
boost security and address the vulnerabilities that he previously
discovered and which he used to access credentials of thousands of
users.”</span>
<span style="font-weight:400">SQLi</span>
<a href="http://news.softpedia.com/news/venezuelan-army-website-hacked-details-of-3-000-accounts-exposed-510676.shtml" target="_blank"><span style="font-weight:400">December 2, 2016</span></a>
<span style="font-weight:400">Venezuelan army CATROPAEJ</span>
<span style="font-weight:400">3,000 full names, email addresses, and telephone numbers.</span>
<span style="font-weight:400">Venezuela</span>
<span style="font-weight:400">“to help authorities find out about their security issues and address them.”</span>
<span style="font-weight:400">SQLi</span>
<a href="http://securityaffairs.co/wordpress/54068/data-breach/national-assembly-of-ecuador-hacked.html" target="_blank"><span style="font-weight:400">December 5, 2016</span></a>
<span style="font-weight:400">National Assembly of Ecuador</span>
<span style="font-weight:400">930 credentials</span>
<span style="font-weight:400">Ecuador</span>
<span style="font-weight:400">?</span>
<span style="font-weight:400">SQLI</span>
<a href="http://news.softpedia.com/news/argentinian-government-site-suffers-major-breach-personal-information-exposed-510780.shtml" target="_blank"><span style="font-weight:400">December 7, 2016</span></a>
<span style="font-weight:400">Argentinian Ministry of Industry (<a href="http://produccion.gob.ar">produccion.gob.ar</a>,)</span>
<span style="font-weight:400">18,000 credentials and private documents</span>
<span style="font-weight:400">Argentinian</span>
<span style="font-weight:400">?</span>
<span style="font-weight:400">SQLi</span>
<a href="http://motherboard.vice.com/read/hacker-claims-theft-of-thousands-of-passport-numbers-from-russian-consulate" target="_blank"><span style="font-weight:400">December 12, 2016</span></a>
<span style="font-weight:400">Consular Department of the Embassy of the Russian Federation in the Netherlands (<a href="http://ambru.nl">ambru.nl</a>)</span>
<span style="font-weight:400">30,000 email address, phone number, passport number and IP address</span>
<span style="font-weight:400">Netherlands, Russian</span>
<span style="font-weight:400">?</span>
<span style="font-weight:400">SQLi</span>
<a href="http://news.softpedia.com/news/russian-visa-website-hack-exposes-data-of-thousands-of-users-510996.shtml" target="_blank"><span style="font-weight:400">December 15, 2016</span></a>
<span style="font-weight:400">Russian National Visa Bureau in the Netherlands</span>
<span style="font-weight:400">13,000 email address, phone number, passport number and IP address</span>
<span style="font-weight:400">Netherlands, Russian</span>
<span style="font-weight:400">?</span>
<span style="font-weight:400">SQLi</span>
<a href="http://news.softpedia.com/news/slovak-chamber-of-commerce-and-industry-hacked-511094.shtml" target="_blank"><span style="font-weight:400">December 19, 2016</span></a>
<span style="font-weight:400">Slovak Chamber of Commerce and Industry (<a href="http://scci.sk">scci.sk</a>)</span>
<span style="font-weight:400">8,000 total but only 4,000, leaked names, phone numbers, hashed passwords, and emails, user logins.</span>
<span style="font-weight:400">Slovak</span>
<span style="font-weight:400">?</span>
<span style="font-weight:400">SQLi</span>
<a href="http://www.mediafire.com/file/nr524euy3dz42zg/costa_rica_embassy_in_china_-_hacked.txt" target="_blank"><span style="font-weight:400">December 22, 2016</span></a>
<span style="font-weight:400">Costa Rica Embassy in China</span>
<span style="font-weight:400">?</span>
<span style="font-weight:400">China</span>
<span style="font-weight:400">?</span>
<span style="font-weight:400">SQLi</span></div>