DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

218,000 AlphaBay marketplace users’ private messages acquired by bug hunter

Posted on January 24, 2017 by Dissent

If you’re a darknet vendor who has the skills to really test the security of marketplaces where you might hawk your wares, what do you do? Well, if you’re a vendor known as “Cipher0007” on reddit, and you find problems, you try to alert the marketplace, and then go public if they don’t respond promptly.

This week, a vendor using a throwaway identity revealed that he had found two high-risk bugs, and was letting everyone know because the AlphaBay marketplace did not respond promptly to tickets he had opened to warn them. In a reddit post, he explained:

hi to all i have opened ticket to warn support of alphabay regarding 2 high-risk bugs without response now i have dumped all private messages of buyers and sellers over 200k with high risk with information of first/last name and addresses of users and track id of packs sent from sellers, and all users (id, nickname) over 1 million and 130k of this market with this bugs.

for proof any user can put id of pm here i reply you it with content of pm.

in final I would like to talk to admins regarding this situation.

same for hansa have bug to dump all users sign up is over 240k.

He also posted screenshots as proof, redacted by him.

One of the screenshots provided by Cipher007 of private messages on AlphaBay Marketplace, redacted by him.

In response to his post, a user tested his claim by providing a private message (PM) id number, and found it accurate.

AlphaBay responded with a statement, acknowledging the bugs:

We have been made aware of the bug that allowed an outsider to view marketplace private messages and we believe that the community has the right to be made aware of what information was obtained and what was done to mitigate the issue.

!—– What did the attacker obtain? —–

1) Marketplace PMs not older than 30 days, up to ID 2609452. IDs are not always sequential, as 218,000 messages were obtained. *** Conversations who did not receive a message in the last 30 days were not affected, as they were automatically purged *****

2) List of user IDs + username (nothing more).

!—– What steps have been done? —–

The attacker was paid for his findings, and agreed to tell us the methods used to extract such information. Our developers immediately closed the loophole in order to protect the security of our users.

!—– Anything else? —–

No other information was obtained. All your forum PMs, order information, BTC addresses, etc. are safe. Only recent (less than 30 days) PMs were obtained.

!—– What to do now? ——

No action is required from anyone, but we remind everyone to ALWAYS ENCRYPT SENSITIVE INFORMATION such as addresses, BTC addresses, tracking numbers, etc. Thanks to everyone for being a loyal customer, and to apologize to the community, we will be offering 20% discount on Escrow fees for the next week on all marketplace orders.

This was the second breach involving the marketplace’s PM in less than one year.

DataBreaches.net contacted Cipher0007 to ask more about the bugs and AlphaBay’s response, as well as the Hansa marketplace bug mentioned in the warning post.

In a series of  private messages, Cipher0007 explained that the bug was in the system management of private messages, and it would be hard to find the bug in logs because information is sent in POST, not GET.

Because the process was slow to bypass AlphaBay’s dual captcha (anti-DDoS and login/register captchas) to extract the PMs, Cipher007 said he  coded a bot to extract all the data. “i executed it in my 10 vps for dump data in sync, all this in silent.”

So there were four bugs that Cipher0007 identified, as he described it:

2 bug bypass captcha of challenge and captcha of of all market real bypass not anti captcha service.

1 bug to dump all users registered since market opened from 0 to 1135000 users but only id and usernames.

1 bug to dump all pms over 218000 in this pms all info of customers sellers and moderators and admins.

Surprisingly, perhaps, Cipher0007 states that he was not contacted by anyone offering to buy the PM data. He also tells DataBreaches.net that he deleted all the data from his HD, “but i have only last copy encrypted in secure place.”

As to the Hansa bug, Cipher0007 informs DataBreaches.net that he acquired a list of 240k users. For that bug, he received 1 BTC from the marketplace, which he claims was donated to Tor Project. He was not willing to reveal how much AlphaBay paid as a bounty, but says he was satisfied with the amount.

So a darknet vendor who claims that in other parts of his life,  is a coder, pentester, and administrator, found bugs and took the high road when it came to protecting other vendors and buyers. Even on the darknet, there is responsible disclosure, it seems.

This is not the first time Cipher0007 has found and reported bugs, and he tells DataBreaches.net that he will have other revelations in the future.

Category: Breach IncidentsBusiness SectorOf Note

Post navigation

← Mortgage loan processor stole dozens of identities
MN: PrimeWest Health notifies members of Summit Reinsurance incident →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Masimo Manufacturing Facilities Hit by Cyberattack
  • Education giant Pearson hit by cyberattack exposing customer data
  • Star Health hacker claims sending bullets, threats to top executives: Reports
  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech
  • Florida bill requiring encryption backdoors for social media accounts has failed
  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information
  • Georgia hospital defeats data-tracking lawsuit
  • No Postal Service Data Sharing to Deport Immigrants

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.