Another day brings news of another popular web service getting hacked and having its data stollen. The victim this time is a popular mobile app called TrueCaller. The Syrian Electronic Army claims to have breached TrueCaller's security by exploiting a WordPress flaw and stealing 7 databases.
Sorry @Truecaller, we needed your database, thank you for it :) http://t.co/fC6ZyYAGTG #SEA #SyrianElectronicArmy
— SyrianElectronicArmy (@Official_SEA12) July 17, 2013
The Syrian Electronic Army claims to have gained access to 1 million social networking accounts (Facebook, LinkedIn, Twitter and Google) through this exploit. The company itself acknowledged the hack on its website but provided this clarification:
“Our investigation into the matter indicates the attackers were able to access ‘tokens’, which was immediately reset. Metaphorically speaking, a ‘token’ is a unique lock for each user, but what the attackers did not acquire is the needed key, which has also been reset,”
Unfortunatly the truth probably lies somewhere in between both extreme statements.
The SEA also provided this database screenshot as "proof":
From the @TrueCaller Database #SEA #SyrianElectronicArmy pic.twitter.com/sqUQpAGJQf
— SyrianElectronicArmy (@Official_SEA12) July 17, 2013
After they had harvested the information they needed, they added salt to the injury by publishing the login credentials and database name:
Database Host: http://t.co/RbaFR3eKJr | Username: tc_admin_login | Password: google123 | Database Name: truecaller_ugc #SEA @Truecaller
— SyrianElectronicArmy (@Official_SEA12) July 17, 2013
The moral of the story? We need to start demanding better security from cloud services and we need to be more judicious about what we store in the cloud.