Security Company identifies hackers behind the leak of Collection 1 – Billions of users records continue to leak

Security Company Identifies hackers

Millions of user records keep leaking. Some data leaked years earlier, some new. The Threat Intel team at Recorded Future, a US cyber security company, claims to have identified the hacker who assembled and sold a massive collection of email addresses and passwords called Collection #1.

The experts of the company believe that a hacker with the pseudonym “C0rpz “is the person who has collected billions of user records rigorously and meticulously in the last three years. This includes records from previously hacked companies that have been posted or sold online.

According to Recorded Future, C0rpz is not only responsible for assembling and selling Collection #1, a data trove of 773 million unique email addresses and just under 22 million unique passwords that captured headlines at the beginning of the year, but many more.

Researchers say that Collection #1 was part of a larger package with a total of seven additional “collections.”

“ANTIPUBLIC #1 “(102.04 GB)
“AP MYR & ZABUGOR #2 “(19.49 GB)
“Collection #1 “(87.18 GB)
“Collection #2 “(528.50 GB)
“Collection #3 “(37.18 GB)
“Collection #4 “(178.58 GB)
“Collection #5 “(40.56 GB)

The remainder seems to be new items that were not seen online until this month. In total, these databases appear to contain more than 3.5 billion user records, including email addresses and passwords, usernames and passwords, cell phone numbers and passwords.

Recorded Future says that C0rpz has sold this data to other hackers who now distribute it free of charge through the MEGA online sharing portal and through torrent magnet links.

Some of the hackers who purchased this data from C0rpz are Sanix, another hacker who infected journalist Brian Krebs first identified as the source of Collection #1, and Clorox, the person who initially shared Collection #1 free of charge in Raid Forums at the beginning of the month, who inadvertently exposed this huge data trove to security researchers and reporters.

“None of the three actors was ever on our radar, “Andrei Barysevich, Director of Recorded Future Advanced Collection.” However, we found a previous online footprint on all actors, which does not suggest that these actors are sophisticated.

“Barysevich also told ZDNet that his team did not find “any evidence “that the three named, including C0rpz, are hackers, who are responsible for any company’s actual breaches.” We believe that over time the data has only been aggregated, “Barysevich told us. But Recorded Future experts are not 100% sure that these data collections are attributed to C0rpz-as no attribution involving self-aggrandizing and braggadocio hackers can ever be 100%. Experts also look at another potential leak source, which they have not yet named.

“On January 10, 2019, an actor at a well-known Russian-speaking hacker forum posted both a magnet link and a direct download link to a database containing 100 billion user accounts hosted on a personal website, “Recorded Future said in today’s report.”

The actor made it clear the following week that the data dump referred to in Troy Hunt’s [ Collection #1] article was also included in their dump. “To be fair, it really doesn’t matter who finally collected, sold or shared the data. All these data have been available for years. The difference was that in the past, this data was shared by place of origin in individual packages.

Only a recent trend for data hoarders (hackers who collected data from hacked sites) to collect these smaller leaks and breaches into gigantic packages has become. This has become a trend because more and more companies are hacking and the value of individual leaks has been reduced.

Data sellers adapted and began to merge leaks to continue making a profit. Hundreds of similar mega-packages are likely to be shared in hacking forums out of the public eye as we speak, which have not yet come to light.

They will eventually. When this happens, cybercrime groups will collect these aggregate leaks, extract any new user records they do not have and use this information to spam our email inboxes, attempt brute attacks on our online accounts or, worse still, use these details for extort or financial fraud.

It is highly probable that most of our information has already leaked online. All we, the users, can do is protect our accounts with strong passwords that are unique per site, enable multi-factor authentication wherever possible and avoid entrusting our data to any company that does not ask for our details. Now, if we were only able to get journalists to stop blowing these “collections “out of proportion each time one of them online.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.