DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

@Kapustkiy and @CyberZeist hack a human rights foundation (UPDATED)

Posted on November 22, 2016 by Dissent

Yesterday, two hackers known on Twitter as @Kapustkiy and @CyberZeist claimed that they teamed up to hack the Hungarian Human Rights Foundation. The hack was announced on Twitter.

Because CyberWarNews.info has already provided a helpful summary of the leak, which was posted on Pastebin, I’ll quote Lee’s summary:

a list of tables from the breached servers database, 24 administrator credentials from different Joomla tables and a bunch of users email addresses. The paste also has a link to MediaFire which contains a small xlsx file that contains 3 sheets. The first sheet contains 3306 user names, email addresses and IP addresses that , the 2nd sheet contains 73 user names, email addresses and contact numbers and the third sheet contains 10 user names, email addresses and contact numbers.

The attack and leak was purportedly “In the name of Free Palestine,” but when asked how attacking a Hungarian human rights foundation had anything to do with Palestine, @Kapustkiy told DataBreaches.net in a private message, “It was just a joke, nothing seriously.”

This is not @Kapustkiy’s first hack and leak, and like his previous one, his attack method was SQL injection.

In our private conversation, @Kapustkiy also clarified how he had notified HHRF.  He claims that after 2-3 days, when he hadn’t gotten any response to an email attempting to notify them of the vulnerability, he leaked a portion of the data,  and then called them. The foundation spokesperson said they would look into his report. But by then, he had already leaked some of the data.

“When I don’t leak anything they don’t take it seriously.,” he told DataBreaches.net.

Later yesterday, he tweeted, “Looking for a team to join. Let me know what your guys motivation are.”

Hopefully, the motivation won’t be to hack non-profits trying to make the world a better place, but this incident is yet another reminder that entities need to pay attention to email attempts to notify them of security problems and to respond to them promptly.

I recently received a complaint from a lawyer after I publicly noted that their client had not responded to my phone call notification and that I had called them a second time but still got no response until I emailed them the following day. The lawyer felt that there was nothing wrong with taking 24 hours to respond to a notification. While it is true that there is no law requiring an immediate response, if someone takes time out of their day to try to alert you to your breach, have the courtesy to let them know that you got their message. Otherwise, they may, like me, remain concerned and continue taking time out of their day to try to alert you.

And apart from the issue of simple courtesy, not everyone will wait until you secure your data before reporting a leak or leaking data – especially if you haven’t bothered to respond to their attempt to alert you to a problem.

Perhaps your best strategy is to respond immediately to let the notifier know that you received their message, that you are looking into it, and that you will get back to them soon – and ask them not to publish anything (at least, not yet). Had HHRF responded to @Kapustkiy’s email notification promptly, would he have leaked their data or might he have given them a chance to secure their data and not leaked anything?

DataBreaches.net sent an inquiry to HHRF asking for a statement about the breach, but has received no reply by the time of this publication. This post will be updated if a reply is received.

Update: Although the site was up last night when I emailed them, it now appears “down for maintenance.” Hopefully, they’re addressing the problem the hackers pointed out. Because they appear to be addressing the problem, @Kapustkiy has deleted both the paste on Pastebin and the data dump from MediaFire. And both have assured me that they won’t be attacking human rights organizations in the future: @kapustkiy in a private message, and then both publicly:

I apologize for this Human Rights Foundation #breach – https://t.co/uGGFY0NBGm, it won’t be happening again from my side!

CC: @PogoWasRight

— CyberZeist (@cyberzeist) November 22, 2016

I want to apologize to everyone, for breaching the HHRF. This won’t happend again in the future. CC: @PogoWasRight

— Kapustkiy (@Kapustkiy) November 22, 2016

I’m very glad to hear that.

No related posts.

Category: HackMiscellaneousNon-U.S.

Post navigation

← Update: Hacker dumps stolen Casino Rama information online
UMass settles potential HIPAA violations following 2013 malware infection →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.