At the beginning of this month, a new specific case of data leak took over the internet news like wildfire over a pine forest in the driest heart of summer.
The victim of this leak: Ygg torrent, a 10-year-old pirate website to browse, seed and download torrent files of all types.
Throughout the years, the website managed to make the platform survive and somehow strive, in spite of legal authorities.
It shown all promise to become economically sustainable, introducing last December a new freemium plan to give users a way to download more files than a set limit number.
According to data (from the leak) that enterprise would have proven quite fruitful (a word which here means "tripling their turnover in a single month") if it had not been for some entrepreneurial hacker’s intervention.
March 2nd, Ygg staff received an email from a so far unknown hacker, Gr0lum, demanding they paid him around $100,000 in cryptocurrency.
As the team refused to pay, Gr0lum turned his threats into a plan: on the night of March 3rd to 4th, he went through with the exfiltration of the entire content of Ygg’s catalog and user account database.
To be precise, this meant 6.6 million user accounts being leaked.
For a couple of days following the leak, people remained gobsmacked by the absolute tour de force. Many were convinced Gr0lum was a genius hacker with a past that intentionnally came out of the shadows to settle some score with Ygg's staff.
As the attack gained notoriety online, people started focusing on the specifics of the operation to figure out how it had all been made possible.
Spoiler: it was not technical prowess.
It was exploitation of Ygg’s numeral lack of security at strategic checkpoints, in all different stages in their system.
1) An accessible entrypoint to Ygg’s preprod environment, found thanks to an online browser tool.
2) A port, left unprotected by any authentication protocol, open to outside queries.
3) Queries that managed to access files containing sensitive security data. In this case, the admin account credentials.
4) The leverage of said credentials to gain access to other servers.
5) A refusal to bargain with the hacker to avoid the leak.
6) Data exfiltration of particularly sensitive personal data of platform users such as identification or financial information.
7) Deletion of the whole database’s contents, as well as the 4 servers used by the platform to function.
8) Leak of both user data and torrent catalog data online.
This last step put a definite end to the platform’s existence, which switched offline for good.
Overconfidence cost Ygg’s staff their platform.
It also cost them trust from a community of users whose account details were leaked.
It ultimately cost them their reputation as anyone looking into the specifics of the case would understand Ygg’s carelessness approach and overall responsibility in all matters of security.
The whole case shows us bystanders how any organisation, lawful or not, can be exposed to great risks when security is brushed aside as an irrelevant topic of attention.
You may host a pirate website and still suffer from pirates’s wrongdoings, so long as you do not take precautionary measures to protect your systems.
Many single flaws contributed to this leak and created the chain of exposure for the attack, but one of them in particular worsened everything: the privilege escalation.
The credential borrowing from the openly accessible directory listing (it was not, per se, stolen from a human user) really put the nail in the coffin to the damage Gr0lum was able to carry out.
It should not have been openly accessible, as many other pieces of information Gr0lum leveraged to make the leak possible.
Thinking “there's no way all things will align to turn out as badly as the worst case scenario” is the exact mindset that hackers rely on to explore all little chips in your defense.
To avoid leaving your admin credentials for anybody to pick out in the wild, get equipped with an appropriate tool.
Get Started with MIA
