Confronting Fake News

On February 26, Under the Breach discovered that an Actor dumped the databases of 16 websites that left public S3 AWS buckets exposed to the internet, one of these sites is www.bgr.in, a huge Indian tech news site:

The thread taken from a hacking forum

We downloaded the database and discovered it is a MySql backup of the BGR’s database dating back to 21.11.2017:

After extensive research into the authenticity of the database, it was beyond clear to us that the database is real and we broke the news on Twitter[1]:

2 days have passed and we discovered BGR made a public statement denying user data was compromised in the breach[2]:

We will disprove these claims.

Wordpress databases are usually pretty similar to one another, we extracted two relevant tables to demonstrate that user data was certainly compromised.

Users table + users comments table:

Data includes usernames, E-mails and IP addresses of anyone who commented on any article and in addition, the photos of everyone who signed up.

Authors login details:

Data includes usernames, hashed Wordpress passwords, E-mails, and names of every single person who is able to write articles on BGR.

In order to verify that these authors really belong to BGR we simply go to https://www.bgr.in/author/AUTHOR USERNAME HERE/ and check in the page’s source if the ID of the author matches the database.

In the picture, we can see that the author with the ID 10 has the username “jkarp”, so we go to his page and check if there is an author under that username and if his ID matches 10:

The source of the page shows us that the Author indeed has the id “10”

In order to demonstrate how the hashed passwords are not a barrier for hackers, we can look at the hash cracking forum, hashkiller.io, where hackers pay to get their hashed cracked:

Example of Wordpress hashes that got cracked for payment:

That means that if and when a single password from the 154 different authors in the database is cracked, a hacker can log into the account and start editing articles and spread any content he would like.

It is also worth emphasizing that this database was exposed since December 2017, that means that for more than 2 years anyone was able to find it and take advantage of it (and maybe they did).

It is a shame that BGR didn’t even contact us before releasing this article.

Connect with me — https://www.linkedin.com/in/alon-gal-utb/

References:

1. https://twitter.com/underthebreach/status/1232605676746289153
2. https://www.bgr.in/news/bgr-india-data-breach-no-user-data-compromised-878275/