When the Hackers Get Hacked

Nulled.io, a forum that sells compromised passwords, stolen bitcoins and other neat stuff was hacked recently, exposing email addresses of people buying and selling, purchase histories and messages between buyers and sellers for 500,000 members.

Here is what the website looks like today:


If you look at their “tag line” below their logo, it says EXPECT THE UNEXPECTED.  Perhaps they needed to heed their own advice.

This data was discovered by security analysis firm Risk Based Security and it is available to anyone who is interested can look at this data.  The size of data hacks that we are beginning to see is amazing.  This leak is almost 10 gigabytes in size.  No longer are we seeing people expose a database or a few email messages;  now they are dumping an entire website.

I ASSUME that two groups of people who might be interested are folks like law enforcement (FBI, Scotland Yard) and intelligence agencies (NSA, CIA, MI5, MI6).  One group is interested in who they can arrest and charge with a crime.  The other is interested in who they can turn and use for their own purposes.  In either case, there are likely some people who are going to get an unwanted visit from the men in black.

The private messages provide an insight into the minds of criminals including what can be bought and sold as well as the tech support requirements (the private messages act as a form of hacker help desk) as hackers try to get their hacks working.

In total, there are over 2 million posts, 800,00 messages, 5,000 purchases and 12,000 invoices.

How the site was hacked is unknown, but the software that the site runs on, Invision Power Services’ IPS Community Suite, was riddled with critical vulnerabilities according to Risk Based Security.

Maybe the hackers need to read the news and keep their software patched and up to date.  MAYBE, they should have done penetration testing.  I wonder if they know anyone who knows how to do that kind of stuff – like most of their members?

One possible scenario, and there certainly are a lot of possibilities, is that a disgruntled buyer decided to take out his or her frustration on the site.

In any case, it just goes to show that there IS no honor among thieves.


Information for this post came from Ars Technica and Risk Based Security.

Leave a Reply

Your email address will not be published.