Poetic justice? Account hijacking forum is itself hacked, exposing details of thousands of users
Whom I will trust as I will adders fanged,
They bear the mandate; they must sweep my way
And marshal me to knavery. Let it work,
For 'tis the sport to have the engineer
Hoist with his own petard; and 't shall go hard
But I will delve one yard below their mines
And blow them at the moon. O, 'tis most sweet
When in one line two crafts directly meet.These words, spoken by Prince Hamlet in Act 3, Scene 4 of his eponymous play, are the origin of the phrase "hoist with his own petard." Hamlet is fantasizing about the poetic justice of meting revenge upon his father's killer. Of course, poetic justice doesn't quite work like that – especially not for Hamlet who, having just bumped off Polonius, meets his own end in Act 5.
In a twist of the karmic pepper grinder that, while not a matter of life and death, positively dwarfs that of the melancholy Dane in terms of scale, the web forum OGUsers has been hacked, exposing the details and messages of some 113,000 users. The attack is thought to have occurred on May 12.
If, for some, there's a degree of schadenfreude to these events, it's because the forum is frequented by people who try to break into other people's online accounts, in particularly using SIM swap attacks which exploit weaknesses in two-factor authentication messages sent by SMS. Such attacks can allow access to email, social media accounts and online finances. According to Krebs on Security, access details to compromised accounts were sometimes resold on the forum for hundreds or even thousands of dollars.
The attack coincided with an apparent outage which the forum administrator explained had deleted months of private messages. It wasn't until May 16 that the full scale of what happened became clear, when the administrator of another forum, RaidForums, made this announcement:
"On the 12th of May 2019 the forum ogusers.com was breached 112,988 users were affected. I have uploaded the data from this database breach along with their website source files. Their hashing algorithm was the default salted MD5 which surprised me, anyway the website owner has acknowledged data corruption but not a breach so I guess I'm the first to tell you the truth. According to his statement he didn't have any recent backups so I guess I will provide one on this thread lmfao."
The details exposed include email addresses, hashed passwords, private messages and IP addresses. They have been uploaded in full on RaidForums and elsewhere online.
After the attack, OGUsers, um, users took to the forum to report phishing emails targeting their forum accounts. According to Krebs on Security, others took to the forum's Discord channel to complain of a change in behavior that now prevents users from deleting their accounts.
Former Washington Post reporter Brian Krebs, who writes Krebs on Security, speculates that the published data is likely to be of great interest to law enforcement organizations, and may lead to arrests. Hoist indeed.
Source: Krebs on Security