[BreachExchange] Australia: From the Archives! 13, 000+ User Accounts Leaked From Fairfax

Thu May 19 19:17:05 EDT 2016

https://www.riskbasedsecurity.com/2016/05/australia-from-the-archives-13000-user-accounts-leaked-from-fairfax/

It’s become cliche for news articles about data breaches to begin with:
“hardly a day goes by without a new headline announcing yet another data
breach”. Today, RBS’ researchers discovered that a publisher of those very
same breach headlines have, themselves, been the target of hackers. Two
Australian-based news websites, The Sydney Morning Herald and The Age
Digital Editions, have been hacked and as a result, over 13,000 email
subscriber accounts have been leaked online.

The two targeted sites are owned and operated by Fairfax Media, one of the
largest media outlets in Australia and New Zealand. Data from two sites was
posted online shortly before midnight (in Sydney) on May 18th. At first
glance, this data appeared to come from a subscriber email list. RBS
researchers contacted the party responsible for the leak and were able to
confirm that the data is, indeed, an email list from a database utilized by
both websites.

In addition to the leaked account data, the hacker gave RBS exclusive
insight into other data contained in the database. Information stored on
the compromised system includes payment details such as credit card numbers
with expiration dates as well as subscribers’ names, telephone numbers, and
limited address information. The party responsible for the leak explained
to RBS that they generally avoid payment info such as credit cards, so the
dump was not complete as they didn’t grab that information. It also appears
the dataset is missing some information, as at least the first 20 rows of
returns were NULL according to the hackers.

The breach itself appears to originate with the Sydney Morning Herald
archives via a system that is controlled by Smedia. Smedia specializes in
website development, mobile applications, and digital publishing. The
company lists many high profile clients on its website including the
Australian Government, Woolworths Supermarkets, Repco, and other media
outlets like Daily Mail Australia. Smedia currently lists both The Age and
The Sydney Morning Herald as clients and specifically calls out the Sydney
Morning Herald Archives project on their history page. It states that, in
2007, Smedia:

“Developed and produced The Sydney Morning Herald Archives. This product
allows users to search every edition of The Sydney Morning Herald and the
Sun-Herald between 1955-1995 in our unique online archive. All articles,
captions and advertisements are fully keyword searchable and results
returned in an exact digital reproduction of the printed pages as they were
originally published. With 820,000 pages in almost 13,000 issues spanning
January 1st, 1955 to February 2nd, 1995, this was the largest digitisation
project undertaken by any major publisher in Australia.”

It should be noted that, at the time of this post, it remains unconfirmed
whether the breached system is in fact the same system created by Smedia
for Fairfax. However, various accounts included within the leak can be
linked back to Smedia.

According to the hacker, the attack was carried out by an SQL injection via
the POST method with some data tampering along the way on the
smh.archives.com.au domain, resulting in a successful SQL injection. As a
proof of concept, the hacker also provided RBS with a sample URL linking to
the POST data. Upon verification, it appears that it is producing a MySQL
error that includes a table name BILLINGID, which in turn alerts us to the
possibility of other data within the database that was not included in the
dump.

The leak totaled 13,277 user accounts across the two files in the leak.
However, RBS analysis shows the total number of unique accounts is only
7,018 when both files are analyzed together. The credentials in the leaked
data include usernames, email addresses, and encrypted passwords, which
appear to be salted. Again, it is worth noting that not all 7,018 leaked
accounts include complete information.

smh.com.au
Total     : 7,011
Unique    : 7,011
Providers : 1,622

digitaledition.com.au
Total     : 6,266
Unique    : 6,266
Providers : 1,473

It is common knowledge that many people reuse and recycle passwords across
multiple services. If by chance the passwords included in this latest leak
are cracked and the account holders used the same passwords to access other
systems, then many other accounts may be at risk.

This incident shows, yet again, another reason why Australia is desperately
in need of a mandatory breach notification law and that its websites, big
or small, are just as much as a target to hackers as businesses located in
any other country.

Unfortunately for Fairfax, this is not the first time they were targeted.
In 2012, two Fairfax microsites were breached and an unconfirmed 10,000
credit card details were stolen. That event resulted in an investigation by
the Office of the Australian Information Commissioner.

To Fairfax’ credit, an anonymous source has confirmed the issue and is
working to fix the problem. We have yet to see an official statement from
Fairfax regarding the breach. Regardless of the outcome of this incident,
Fairfax is far from alone in the ranks of organizations experiencing a
breach this year. Over 1,200 data breaches have been disclosed so far in
2016, exposing more than 448 Million records.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160519/58e36c24/attachment.html>