The popular cyber security expert Chris Vickery from security firm MacKeeper announced that he will shortly reveal the source of a huge data breach impacting individuals.
1.4 billion identity leak story incoming Monday morning.
Thanks go to @SteveD3 (and someone else) for cooperating on investigation.
— Chris Vickery (@VickerySec) March 3, 2017
Vickery also offered a teaser of the leak, also reducing the number of identities by 30,000.
Teaser screenshot of that DB's summary data: pic.twitter.com/PEnpJbDZRt
— Chris Vickery (@VickerySec) March 4, 2017
Security experts are speculating about the name of the alleged victim of the data breach, it is a huge amount of data and this restricts the list of candidates.
Online is circulating the name of the Aadhaar, that is the world’s largest biometric ID system, with over 1.123 billion enrolled members as of 28 February 2017. It includes data from more than 99% of Indians aged 18 and above.
“The data is collected by the Unique Identification Authority of India (UIDAI), a statutory authority established on 12 July 2016 by the Government of India, under the Ministry of Electronics and Information Technology, under the provisions of the Aadhaar Act 2016.”
The Indian Government promptly denied the database belongs the Aadhaar system.
“In a comprehensive clarification with regard to misinformation in some news items and articles appearing in various print and social media during the last few days alleging breach of Aadhaar data, misuse of biometrics, breach of privacy, and creation of parallel databases etc., UIDAI said that it has carefully gone into these reports and would like to emphasise that there has been no breach to UIDAI database of Aadhaar in any manner whatsoever and personal data of individuals held by UIDAI is fully safe and secure.” reads the official statement issued by the UIDAI.
“In a statement, UIDAI has said that Aadhaar based authentication is robust and secure as compared to any other contemporary systems. Aadhaar system has the capability to inquire into any instance of misuse of biometrics and identity theft and initiate action.”
Another hypothesis on the possible origin of the huge trove of data is China which the only other country with a so big archive (1.37bn identities is China). Which brings us to other candidates, namely:
Giving a look at the private sector, a limited number of companies have databases with a similar dimension.
Facebook, WhatsApp, Apple, Microsoft, Yahoo, the Chinese WeChat and the Tencent platforms IM QQ and social network Qzone.
El Reg also speculated the involvement of a data harvesting company.
“The likes of Oracle, Salesforce and Wayin have colossal databases of individuals and businesses they sell to marketers and others, and claim to have hundreds of millions of records. Can’t be discounted.” reads El Reg.
Whoever it is, the data leak highlights the poor level of security for data base exposed online.
Chris Vickery discovered many other clamorous cases of open database exposed on the Internet. In December 2015 the security expert discovered 191 million records belonging to US voters online, in April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.
In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.
In January 2017, the expert discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.
(Security Affairs – data leak, hacking)