Lee J reports on DataLossDB:
The last couple of weeks have seen tensions rising between Russia and Ukraine, and along with it an increase in computer crime.
Sometime earlier this morning, a post allegedly by Anonymous Ukraine has claimed to have published “more than 800 million credit cards” by releasing four archives: Visa, Mastercard, American Express, and Discover cards. Based on the initial analysis by Risk Based Security, the number appears to come to a total of 955,579 cards.
[….]
Each of the four archives appear to have valid card numbers, bank routing numbers, and full names. The dump of information does not contain the credit card CCV (Card Verification Value) or card expiry information. Without this information, committing fraud with the leaked information may be more difficult.
[…]
Update 7:40P EST – In addition to the 1 million cards disclosed earlier, Anonymous Ukraine has followed up with an additional leak of over 6 million more cards announced in a Tweet. Initial analysis of the new dump by RBS shows 6,064,823 new cards. That breaks down to 668,279 American Express, 3,255,663 Visa, 1,778,749 Mastercard, and 362,132 Discover. Counting the disclosure earlier today and the subsequent dump, the grand total now sits at 7,020,402.
Upon cursory examination, a majority of cards seem to come from United States banks. Among the information released, approximately 4,000 come with full user data including social security number, credit card, card card expiry, name, pins, floats, dates of birth, states, and zip codes. The new Pastebin dump from the group also suggests the data may come from ATMs or POS systems.
Social Security numbers? Hmmmm…
Read more on DataLossDB.
Update: There’s been some suggestion on Twitter that the dump is bogus. I’m trying to track that down, but for now, I’d treat this as unconfirmed.
Update 2: DataLossDB updated its post to say:
UPDATE: Based on further analysis along with discussions with journalists, it appears that this credit card dump contains valid, but older card data that had been previously disclosed. To date, there is no solid evidence this represents a new breach.