Damn. This is a breach involving highly sensitive data. I am publishing a Google translation of a report that appeared on Security.nl. If you can read Dutch, please go read the original report. I hope that Security.nl understands that I am using their content because this breach is so serious and I want my readers to be aware of it.
Attackers have managed to steal private data from users of PratenOnline.nl, a website where young people with an anxiety and depression complaint can chat anonymously with a professional. How many users are affected and what data is involved is still unclear.
PratenOnline informs RTL Nieuws that the attackers are threatening to make the stolen data public when it is not paid. It would in any case be e-mail addresses and telephone numbers of young people who made use of the website.
PratenOnline states that the investigation into the break-in is still ongoing, but explains to RTL Nieuws that no chat conversations between young people and aid workers have been captured.
However, an informant on the whistleblowing platform Publeaks has said that chat conversations have indeed been stolen. It would be more than 16,000 personal chats, according to de Volkskrant. Three chats were sent as proof, but it is unclear whether they are authentic. Furthermore, this informant claims that data of more than 14,000 profiles have been compromised.
PratenOnline has reported to the police and informed the Authority Personnel Data. The website, which is currently canceled by the organization, will also inform all affected users.
So what do we know about the attackers? How much are they demanding in payment? What are their communications to the platform like, and in what language? And how did the platform provide for “anonymous” and secure chats? Were the communications encrypted? If not, why not?