Password data and other personal information belonging to more than 2.2 million users on two websites – one a cryptocurrency wallet service and the other a gaming bot provider – is published online, according to Troy Hunt, a security researcher behind the Have I Been Pwned breach notification service.
One download includes personal information on up to 1
The person publishing the Gateway 3.72 GB database said it also included two-factor authentication keys, mnemonic phrases and a wallet. hash, although GateHub officials said the investigation suggests no hashed portfolios were available. Meanwhile, EpicBot's database included usernames and IPs. Hunt said he selected a representative sample of accounts from both databases to verify the accuracy of the data. All the email addresses he checks are logged into accounts on both sites.
Another indication that the data in the file belongs to the GateHub account holders: this Twitter post . It comes from Aashish Koirala, a self-described software developer who said he recently received a notice from the Experian Consumer Credit Reporting Identity Guide. The advisory, Koirala said, informs him that "my @GateHub credentials have been found compromised in the Dark Network."
– Aashish Koirala (@aashishkoirala) November 14, 2019
While there were 2.2 million unique addresses in both dumps, it is possible
Gateway account data that was published on the RaidForums hacker site in late August, came three months after the cryptocurrency service announced that it had been hacked. According to the attackers, GateHub has stolen, or at least tried to steal – a wealth of sensitive information for more than 18,000 user accounts. The wording of the publication made it unclear exactly what data from access tags were successfully obtained.
GateHub staff wrote:
As suggested earlier in the update to our investigation, we believe that the perpetrator has obtained unauthorized access to a database containing valid access tags for our clients. Using these tokens, the perpetrator received 18,473 encrypted client accounts, a very small fraction of our total user base. The affected accounts targeted the following information: email addresses, hashed passwords, hashed recovery keys, encrypted secret keys for XRP book portfolios (un-deleted portfolios only), names (if provided), surnames (if provided).  The GateHub disclosure goes on to say that site employees are notifying users whose accounts are accessible and generating new encryption codes and re-encrypted sensitive information, such as secret keys for a wallet portfolio.
The publication of the database means the breach of the portfolio of services revealed in July was much greater than previously thought. Instead of getting only access tokens, the attackers also took 2FA keys, email addresses, password hashing, mnemonic phrases and probably wallet hashes. Moreover, the breach affected 1.4 million GateHub users, not just the 18,473 mentioned in the disclosure. In an email an unnamed member of GateHub's security team wrote:
We know of a database published by RaidForums, whose author claims it belongs to GateHub. GateHub's alleged database is being thoroughly researched by our team, so we are currently unable to confirm its authenticity. We will make sure to keep you informed of any updates.
From what it has collected so far does not contain hashes for wallets. As mentioned earlier, we are still verifying its authenticity.
One of our initial responses to cyberattack was to introduce re-encryption on all GateHub accounts. With the new re-encryption, all GateHub accounts were re-encrypted and all our customers had to change their passwords. This was introduced in July 2019.
The statement did not explain why the investigation was not able to verify the accuracy of the data 25 days after its publication and four months after it was first made available. It was also unclear exactly what officials meant by "transcoded".
"There are references to PGP [in the database]," Hunt told me. "There are some that appear to be encrypted with PGP strings. I'm not sure if that's what they turned. Are they talking about rotating cryptographic hashes, or are they talking about this section of PGP that is linked to the wallet? "
Change passwords, mnemonic phrases and more.
The leak of EpicBot, meanwhile, was published on the Raid Forum on October 25, the same day as the GateHub dump. Hunt said it contains approximately 800,000 unique email addresses, along with usernames, IPs and hashed criteria. EpicBot employees did not respond to requests for comment on this post. I could find no mention of a violation on the EpicBot website.
Using the bcrypt hashing feature on both sites is encouraging. Bcrypt is so intense to calculate that it will take years even for powerful clusters equipped with a graphics card to crack all the passwords. Of course, implementing bcrypt is insecurely easy. The programming mistakes made by Ashley Madison's fraudulent website, for example, made the trivial crash of more than 11 million of the 36 million cryptocurrency hashtags leaking into the site's 2015 hack.
The leakage of other types of personal information about what could be up to 2.2 million accounts is less admirable, especially since there is little evidence that all affected users have been notified in a timely manner. EpicBot users should change their passwords as soon as possible. GateHub users are not required to reset their password, given the mandatory change made in July. But the mnemonic phrases have to be replaced, assuming they were gone.
In order to prevent the growing threat of attacks with trustworthy stuffing, users on both sites must change passwords for all other sites that use compromised credentials. Users should also be on the lookout for phishing scams and other forms of attack that use their personal information.