Yesterday, two hackers known on Twitter as @Kapustkiy and @CyberZeist claimed that they teamed up to hack the Hungarian Human Rights Foundation. The hack was announced on Twitter.
Because CyberWarNews.info has already provided a helpful summary of the leak, which was posted on Pastebin, I’ll quote Lee’s summary:
a list of tables from the breached servers database, 24 administrator credentials from different Joomla tables and a bunch of users email addresses. The paste also has a link to MediaFire which contains a small xlsx file that contains 3 sheets. The first sheet contains 3306 user names, email addresses and IP addresses that , the 2nd sheet contains 73 user names, email addresses and contact numbers and the third sheet contains 10 user names, email addresses and contact numbers.
The attack and leak was purportedly “In the name of Free Palestine,” but when asked how attacking a Hungarian human rights foundation had anything to do with Palestine, @Kapustkiy told DataBreaches.net in a private message, “It was just a joke, nothing seriously.”
This is not @Kapustkiy’s first hack and leak, and like his previous one, his attack method was SQL injection.
In our private conversation, @Kapustkiy also clarified how he had notified HHRF. He claims that after 2-3 days, when he hadn’t gotten any response to an email attempting to notify them of the vulnerability, he leaked a portion of the data, and then called them. The foundation spokesperson said they would look into his report. But by then, he had already leaked some of the data.
“When I don’t leak anything they don’t take it seriously.,” he told DataBreaches.net.
Later yesterday, he tweeted, “Looking for a team to join. Let me know what your guys motivation are.”
Hopefully, the motivation won’t be to hack non-profits trying to make the world a better place, but this incident is yet another reminder that entities need to pay attention to email attempts to notify them of security problems and to respond to them promptly.
I recently received a complaint from a lawyer after I publicly noted that their client had not responded to my phone call notification and that I had called them a second time but still got no response until I emailed them the following day. The lawyer felt that there was nothing wrong with taking 24 hours to respond to a notification. While it is true that there is no law requiring an immediate response, if someone takes time out of their day to try to alert you to your breach, have the courtesy to let them know that you got their message. Otherwise, they may, like me, remain concerned and continue taking time out of their day to try to alert you.
And apart from the issue of simple courtesy, not everyone will wait until you secure your data before reporting a leak or leaking data – especially if you haven’t bothered to respond to their attempt to alert you to a problem.
Perhaps your best strategy is to respond immediately to let the notifier know that you received their message, that you are looking into it, and that you will get back to them soon – and ask them not to publish anything (at least, not yet). Had HHRF responded to @Kapustkiy’s email notification promptly, would he have leaked their data or might he have given them a chance to secure their data and not leaked anything?
DataBreaches.net sent an inquiry to HHRF asking for a statement about the breach, but has received no reply by the time of this publication. This post will be updated if a reply is received.
Update: Although the site was up last night when I emailed them, it now appears “down for maintenance.” Hopefully, they’re addressing the problem the hackers pointed out. Because they appear to be addressing the problem, @Kapustkiy has deleted both the paste on Pastebin and the data dump from MediaFire. And both have assured me that they won’t be attacking human rights organizations in the future: @kapustkiy in a private message, and then both publicly:
I apologize for this Human Rights Foundation #breach – https://t.co/uGGFY0NBGm, it won’t be happening again from my side!
CC: @PogoWasRight
— CyberZeist (@cyberzeist) November 22, 2016
I want to apologize to everyone, for breaching the HHRF. This won’t happend again in the future. CC: @PogoWasRight
— Kapustkiy (@Kapustkiy) November 22, 2016
I’m very glad to hear that.