Creditseva has been in the headlines before for the wrong reasons after security researcher Chris Vickery discovered that they had failed to secure a s3 instance which left tens of thousands personal details exposed.
Moving on months later and it has come to my attention that Creditseva has now come under attack by various hackers, one of which has managed to gain access to s3 buckets as well as rooting their server and defacing the website, not just once but twice.
In case you have not heard of them before CreditsServ, according to wikipedia is a credit management platform based in India, with offices in Singapore, that was launched in 2014. The service focuses on analyses of credit reports and score from its users. Creditseva got seed founding from Pix Vine Capital and Infocomm Investments in March 2016.
The breach started just before the end of in November 2017 after a user on raid forums posted a small dump of information.
Another well known hacker using the twitter alias Taylor has managed to gain access to creditseva main website server and a copy of the s3 bucket credentials. The credentials allowed the hackers to gain access to the s3 buckets that have the same information that researcher chris vickery had discovered months back and to prove this Taylor has provided cyberwarnews.info some of the data from the s3 buckets.
The Deface
The first deface on the 2/1/2018 was Taylor editing a very small sentence on the main page, this was restored back to original shortly after.
At one stage on the 2/1/2018 defaced the site with the following message only to once again it to was restored back to the original index.
On the 4/1/2018 Taylor again decided to deface the website again but this time it was restored by creditseva who put it into maintenance mode and returned a short time later with no announcement of a breach.
The data
Cyberwarnews.info has been given exclusive access to the data obtained by Taylor which contains personal records, copies of passports, identifications of people seeking the services of creditseva. The sample of data provided was a 768mb rar file that when expanded has three folders which represent a bucket per folder.
The first folder ‘Creditseva.com_db_backups_2018’ contains 3 further files, 1 compressed file which expands to over nearly 13gb as a raw sql file that appears to be the main database for creditseva and two other sql based files for bad loans.
The second folder ‘Creditseva.com_UserDocumnets_2018’ contains a huge amount of personal information, with 889 folders. Each folder contains a .txt file that hold that individuals personal information include names, contacts, passports, addresses, financial and other loan related information. Some of the folders also contain a copy of that individuals passport and identification.
Finally the last folder ‘Creditseva.com_website_files_2018’ contains 16 items. One of the files called ‘mail’ contains thousands of raw emails, mostly server bounce reports with the exception a bunch of emails that contain applications and personal information regarding updates to users accounts.
The two SQL files contain various personal information as well as affiliates, affiliate payouts and commission, requests for credits, comments and status related to applications, all this information is dated back to 2014/2016, in total about 78,000 unique emails was discovered in this sql file.
When visiting the creditseva website it appears to not be fully functional and under maintenance still with all links being filled in with # and making pages like contact and about pages inaccessible as well when u visit the contact-us as indexed by Google recently it shows that it is now returning a 404 not found error, it would appear that creditseva is well aware of the fact they have been breached again and are working with restored data for the time being, if this is not the case then they might need to speak to their development team to fix their own websites design as well as security.
At time of publishing creditseva had been notified of this issue although they have not acknowledge this, updates to come when/if they do.