A well known underground hacking forum has been hit with a massive data breach which exposed IP and email addresses, private messages and password data of around 500,000 members who used the website to expedite the selling and sharing of compromised passwords and stolen credentials. The hacker leaked the data on 6 May in a 1.3 GB tar archive file.
Nulled.io, a popular hacker forum which is well known for using the tagline "expect the unexpected", has apparently been at the receiving end of an unexpected data breach which has left its members' personal details leaked online. The breach was uncovered by security firm Risk Based Security, who uncovered a data dump of almost the entire website's database online. The hacker leaked the data, which when expanded is a 9.45 GB db.sql file and contains over 5,500 purchase records and 12,600 invoices detailing the buying, selling and sharing of stolen credentials.
Despite discovering the data breach, Risk Based Security was unable to track down the hacker responsible. Explaining the consequences of the breach, the security firm said: "When services such as Nulled.IO are compromised and data is leaked, often it exposes members who prefer to remain anonymous and hide behind screen names. By simply searching by email or IP addresses, it can become evident who might be behind various malicious deeds. As you can imagine, this can lead to significant problems for forum users."
According to Risk Based Security the data breach includes passwords of member, which appear to be protected by the MD5 hashing algorithm. The dump also exposed private conversations that took place in secretive VIP forums, which details the transactions of stolen credentials and also divulges hacking techniques used by malicious hackers.
The details revolving around who hacked Nulled and how, still remains a mystery. However, security researchers have identified that the forum used software and plugins that were permeated with critical vulnerabilities. Security experts also noted that given how detailed the data exposed is, law enforcement officials, after getting their hands on the data, could fairly easily "filter out any "suspects" under investigation for possibly conducting illegal activities via the forums."