I’ll admit I sometimes ignore data dumps or hacks if they don’t fit my particular interests in reporting on breaches that impact health data or student data. But occasionally I remind myself that all breaches that expose personal information do need to be taken seriously. Yes, even those, as with the Ashley Madison hack, where some people may feel, “Well, they deserved it because they were behaving immorally.”
In the spirit of not judging, then, it’s worth noting that a hacker who calls himself “ElSurveillance” contacted me about a lot of hacks he claims he has executed targeting porn sites and escort sites.
The first hack, which is the only one he dumped all the data from, was drjizz.com. ElSurveillance, who self-identifies as Moroccan, dumped 30,263 email addresses, usernames, and plain-text passwords. Since drjizz.com’s site claims to have 20,000 registered users, there seems to be a mis-match. Inspection of the data dump suggests many of the email addresses appear to be throwaway addresses. An attempt to google some of the email addresses returned no results.
The site was notified of the data dump last week and sent a sample of the data, but never responded to the notification or a request for confirmation or denial as to the authenticity of the data. @ElSurveillance informs DataBreaches.net that this hack took place last year, but he has been just sitting on the data since then and updated it before pasting it.
Later in the week, ElSurveillance pointed DataBreaches.net to a paste identifying 71 sites he claims to have hacked.
I asked ElSurveillance if the sites were (only) defaced or if he also downloaded user data. He replied that he had hacked and downloaded data:
Some with login details such as Emails, Usernames and passwords and some the user’s private personal information including their IP adresses and so on
As of now, he has not dumped any of the personal information from those 71 sites, but says he’ll be hanging on to it for a while.
When asked why he was targeting escort sites, he provided DataBreaches.net with this statement:
I have been running an operation under the hashtag #EscortsOffline against the escorts website and agencies, Because I strongly believe that our bodies are gifted from Allah (God) to us to look after and not to destroy, And I always hated the idea of people selling their bodies for money which it gives a chance for the escort agencies to take advantage of these people who are in need So many women carried (HSV, HPV, and HIV ….) because they thought that they can earn easy money by join these agencies inc men But what most of people don’t really know that 99% of these agencies are fake, Scams and always ready to make money on your behalf And for what I have seen in my attacks and the databases that I took, They create fake accounts, Profiles and display fake photos that their owners don’t even know that these website have them So I decided to use my skills in something that I believe is good, And hopefully one day the other hackers will carry the same attacks to spreading the words.
But will any of the real people/accounts even learn that their information has been hacked? Probably not. So what good does this actually do? DataBreaches.net posed that question to ElSurveillance, who replied:
… when you report the attack to the site owners probably you will see either they try to deny the attack or claim that the leaks isn’t real, And the reason why they will say that that is simple because they don’t want to lose their clients because once people start to hear about their data has been hacked, They will stop for a second and think about what they are doing which is exactly what I want them to do
I’m here to do the good thing and not the bad thing, Dumping their data isn’t one of the things that I like to do but sometimes I have to do dump the leaks so someone else can hack into their account(s) because if you never harm these people at least once, They won’t receive the message
8 escorts hacked http://justpaste.it/q16k
DataBreaches.net has made no attempt to notify any of the 78 sites listed in the two pastes or to verify the claimed hacks. Because while I do care about personal information, I’m just too busy dealing with leaks where I know the people/accounts are real. If anyone does independently verify the hacks at some point, please let me know and I’ll update this post.
HA!
How much p0rn can this guy download? He’s probably using some of the accounts for himself, to ensure the accounts are actually working, and the download links, and on demand style videos are available upon request. Yeah, that’s it…..
I am not one to crawl around on these sites and verify anything. The problem with doing some due diligence to prove a point in most situations depends on whether these corporations want to tie up (no pun intended) someone in court for the heck of it, and to try to thwart any further action from a researcher. Perception and facts in the courtroom can differ from daya to day, let alone from state to state.
=Þ