[BreachExchange] Big Footy data breach exposed private details of up to 100, 000 users

[Destry Winant]

https://www.smh.com.au/politics/federal/big-footy-data-breach-exposed-private-details-of-up-to-100-000-users-20200529-p54xnz.html?ref=rss

A large data leak from an AFL fan website has exposed about 70 million
records online, including private conversations between users,
according to cyber security researchers.

Aussie Rules forum Bigfooty.com has about 100,000 users – although
it's not known how many were affected. The site has now started to
contact users to notify them about the breach but the company believes
no one downloaded the exposed data.

AFL fans on website BigFooty had their data exposed, according to
security researchers.CREDIT: SEBASTIAN COSTANZO

Cyber security research team Safety Detective, led by Anurag Sen,
claimed to have discovered about 132GB of data leaking from the site
last month.

In a report provided exclusively to Nine News, the researchers claim
they were able to view private messages, some containing email
addresses, mobile phone numbers, passwords and sensitive personal
information.

In some cases, messages included threatening or racist comments.

"Private messages are fully exposed in the leak and can be traced back
to specific users. This includes some high-profile users such as
Australian police officers and government employees," the report
reads.

"Even though user names, passwords and identities were not always
matched, there remains a significant risk that the tidbits of
information available could be used to commit identity fraud, and
consequently, create financial, social and reputational damage on
users."

The researchers say in several cases users who shared sensitive
material could be identified.


"Sensitive material of this nature exposes those users to blackmail
and coercion by malicious hackers, assuming their identity can be
determined," the report reads.

"A further issue – and one that is common with data leaks in general –
is users sharing passwords to other platforms, or re-using the same
username and password on multiple platforms."

Coronavirus: Cyber safety warning during crisis

Online paedophiles are sharing more child sexual abuse material during
the coronavirus lockdown

The research lab, which describes itself as a "pro bono service that
aims to help the online community defend itself against cyber
threats", told Nine News it immediately contacted Big Interest Group,
the US-based parent company of Bigfooty.com.

A spokesperson for Big Interest Group told Nine News the unsecured
port had been fixed on May 14.

"We have started sending out notices to potentially affected users
informing them of the issue," they said.

"Apart from access by (Safety Detective), we have not found evidence
the index was copied or downloaded by other parties.

Sensitive material of this nature exposes those users to blackmail and
coercion by malicious hackers, assuming their identity can be
determined.

Cyber security research team Safety Detective

"As it relates to data of users based in Australia, we are also
preparing a report for the Office of the Australian Information
Commissioner."

A statement was posted to BigFooty on Friday morning informing users
about the breach and telling them what to do.

"It can't be fully determined who has shared what, so everyone who has
ever posted in a private feature like convos has been emailed," the
statement said.

"It seems there's no evidence that the search index was copied in
full. The main forum server is not affected. The breach doesn't
include information you provided at registration."

The researchers also contacted the Australian Cyber Security Centre
and host-server Amazon.

While the ACSC won't comment on individual cases, a spokesperson said:
"Databases and storage services are potential targets of malicious
cyber actors and are vulnerable to compromise if not properly
secured."