In a massive security breach, private data of many famous people in the U.S. were stolen by hackers from the networks of the country’s three major data brokers, a seven-month investigation by security researcher Brian Krebs reveals.
It was discovered in March that a website called exposed.su, which has now been closed, published social security numbers, birth records, and credit and background reports of many prominent Americans, including First Lady Michelle Obama, Bill Gates, Beyonce Knowles, Jay-Z, Ashton Kutcher and many others.
Although the FBI began its own investigation on the matter, Krebs also tracked the leaked information and found that exposed.su had bought the data from another website called ssndob.ms, or SSNDOB, which used to advertise itself as a market for confidential information and sold private data for prices ranging from 50 cents to $15.
According to Krebs, SSNDOB acquired the private information from a “small but very potent” botnet -- a set of compromised computers -- that can be controlled remotely by attackers.
“This botnet appears to have been in direct communications with internal systems at several large data brokers in the United States,” Krebs wrote in a blogpost. “The botnet’s Web-based interface (portions of which are shown below) indicated that the miscreants behind this ID theft service controlled at least five infected systems at different U.S.-based consumer and business data aggregators.”
SSNDOB, which itself was hacked by multiple attackers earlier this summer, got access to data by hacking into computers in the corporate networks of the data brokers, including Dun & Bradstreet in Short Hills, N.J., LexisNexis in Atlanta, and Kroll Background America, managed by Altegrity, a holding company in Falls Church, Va., Krebs said.
According to Krebs, five hacked servers were identified by examining the web interface that was used to control the botnet. Two of the servers were inside LexisNexis, two at Dun & Bradstreet and one at Kroll.
“Immediately upon becoming aware of this matter, we contacted the FBI and initiated a comprehensive investigation working with a leading third party forensic investigation firm,” said Aurobindo Sundaram, vice president of information assurance and data protection at Reed Elsevier, the parent company of LexisNexis. “In that investigation, we have identified an intrusion targeting our data but to date have found no evidence that customer or consumer data were reached or retrieved.”
Dun & Bradstreet spokesperson Michele Caselnova told Reuters that the company was "aggressively investigating" the attack.