Boxee.tv Database Leaked Online
March 30, 2014 • RBS
Boxee.tv some time around the 10th of March. In some regards, it really couldn’t be a worse time for them as they have recently announced they are moving to Samsung after six years of being private. It turns out that is part of the motivation of the hacker who said he did it to “mostly to make fun of samsung, and whatnot. Plus, really, they’re running unsecure software and I’m still sitting with a backdoor on it, so really, they’ve learned nothing”.
The leak was announced on a private forum and the database information has been uploaded to a TOR service in the format of a raw SQL dump extraction totaling 792 MB and containing an impressive 192 tables, apparently obtained via SQL injection. The leaked data contains 158,128 user accounts, many of which have been banned according to a field in the users table. Included with the accounts, the information dump contained 172,234 email addresses from a total of 17,653 email providers / ISPs. Of those, almost 5,500 have more than one address in the dump including high profile electronic and telecommunication companies along with 77,061 gmail accounts. The information dump also contains the user’s encrypted passwords, password change dates, group IDs, dates of birth, IP addresses they connected from, Boxee site activity, as well as their full personal message history. Any message sent through their service, including ones with sensitive content, are now public.
Further, the passwords were apparently salted hashes and easily cracked according to sources. As a demonstration of the information dumped, an the hacker posted this message to the Boxee forums that included Brian Krebs’ personal information:
We have created an incident for Boxee on DataLossDB.org and will update this article as information becomes public.
** UPDATED – 11:15PM on 4/2/2104 with more details on attribution and motivation of the breach **
** UPDATED – 12PM on 4/3/2104 forum.boxee.tv has now been taken offline **