Australia: From the Archives! 13,000+ User Accounts Leaked From Fairfax
May 19, 2016 • RBS
It’s become cliche for news articles about data breaches to begin with: “hardly a day goes by without a new headline announcing yet another data breach”.
Today, RBS’ researchers discovered that a publisher of those very same breach headlines have, themselves, been the target of hackers. Two Australian-based news websites, The Sydney Morning Herald and The Age Digital Editions, have been hacked and as a result, over 13,000 email subscriber accounts have been leaked online. The two targeted sites are owned and operated by Fairfax Media, one of the largest media outlets in Australia and New Zealand. Data from two sites was posted online shortly before midnight (in Sydney) on May 18th. At first glance, this data appeared to come from a subscriber email list. RBS researchers contacted the party responsible for the leak and were able to confirm that the data is, indeed, an email list from a database utilized by both websites.
In addition to the leaked account data, the hacker gave RBS exclusive insight into other data contained in the database. Information stored on the compromised system includes payment details such as credit card numbers with expiration dates as well as subscribers’ names, telephone numbers, and limited address information. The party responsible for the leak explained to RBS that they generally avoid payment info such as credit cards, so the dump was not complete as they didn’t grab that information. It also appears the dataset is missing some information, as at least the first 20 rows of returns were NULL according to the hackers.
The breach itself appears to originate with the Sydney Morning Herald archives via a system that is controlled by Smedia. Smedia specializes in website development, mobile applications, and digital publishing. The company lists many high profile clients on its website including the Australian Government, Woolworths Supermarkets, Repco, and other media outlets like Daily Mail Australia. Smedia currently lists both The Age and The Sydney Morning Herald as clients and specifically calls out the Sydney Morning Herald Archives project on their history page. It states that, in 2007, Smedia:
“Developed and produced The Sydney Morning Herald Archives. This product allows users to search every edition of The Sydney Morning Herald and the Sun-Herald between 1955-1995 in our unique online archive. All articles, captions and advertisements are fully keyword searchable and results returned in an exact digital reproduction of the printed pages as they were originally published. With 820,000 pages in almost 13,000 issues spanning January 1st, 1955 to February 2nd, 1995, this was the largest digitisation project undertaken by any major publisher in Australia.”
It should be noted that, at the time of this post, it remains unconfirmed whether the breached system is in fact the same system created by Smedia for Fairfax. However, various accounts included within the leak can be linked back to Smedia. According to the hacker, the attack was carried out by an SQL injection via the
POSTmethod with some data tampering along the way on the smh.archives.com.au domain, resulting in a successful SQL injection. As a proof of concept, the hacker also provided RBS with a sample URL linking to the POST data. Upon verification, it appears that it is producing a MySQL error that includes a table name
BILLINGID, which in turn alerts us to the possibility of other data within the database that was not included in the dump.
The leak totaled 13,277 user accounts across the two files in the leak. However, RBS analysis shows the total number of unique accounts is only 7,018 when both files are analyzed together. The credentials in the leaked data include usernames, email addresses, and encrypted passwords, which appear to be salted. Again, it is worth noting that not all 7,018 leaked accounts include complete information.
smh.com.au Total : 7,011 Unique : 7,011 Providers : 1,622
digitaledition.com.au Total : 6,266 Unique : 6,266 Providers : 1,473
It is common knowledge that many people reuse and recycle passwords across multiple services. If by chance the passwords included in this latest leak are cracked and the account holders used the same passwords to access other systems, then many other accounts may be at risk. This incident shows, yet again, another reason why Australia is desperately in need of a mandatory breach notification law and that its websites, big or small, are just as much as a target to hackers as businesses located in any other country. Unfortunately for Fairfax, this is not the first time they were targeted. In 2012, two Fairfax microsites were breached and an unconfirmed 10,000 credit card details were stolen. That event resulted in an investigation by the Office of the Australian Information Commissioner.
To Fairfax’ credit, an anonymous source has confirmed the issue and is working to fix the problem. We have yet to see an official statement from Fairfax regarding the breach. Regardless of the outcome of this incident, Fairfax is far from alone in the ranks of organizations experiencing a breach this year. Over 1,200 data breaches have been disclosed so far in 2016, exposing more than 448 Million records.