Full Report
Pure Incubation was founded in 2012, and the company later rebranded to DemandScience.Back in March 2024, an actor named KryptonZambie posted a thread on Breach Forums selling a database belonging to Pure Incubation.Furthermore, within their group of businesses, they reportedl...
Analysis Summary
# Incident Report: Pure Incubation (DemandScience) Data Breach
## Executive Summary
In March 2024, Pure Incubation (rebranded as DemandScience) suffered a significant data breach resulting in the exfiltration of a large database. The actor, KryptonZambie, advertised the sale of this database on Breach Forums. The compromised data exposed millions of records containing PII, including contact information and encrypted passwords, posing a high risk of identity compromise and social engineering for affected individuals.
## Incident Details
- Discovery Date: Initial publication on Breach Forums in **March 2024** (Date actor was active).
- Incident Date: Not explicitly stated, but occurred prior to the **March 2024** public posting.
- Affected Organization: Pure Incubation (now DemandScience) and its subsidiaries/related B2B data services.
- Sector: Technology/Data Services (B2B Solutions).
- Geography: Not specified.
## Timeline of Events
### Initial Access
- Date/Time: Unknown, prior to March 2024.
- Vector: Unknown. The article does not specify the initial entry vector.
- Details: The compromise led to the exfiltration of a database belonging to the organization.
### Lateral Movement
- Details: Not specified in the provided context.
### Data Exfiltration/Impact
- Details: Two specific tables were compromised: one containing potential member details and another containing contact information. This included names, physical addresses, email addresses, job titles, company details, LinkedIn URLs, and **encrypted passwords**.
### Detection & Response
- Details: The incident was externally discovered when actor **KryptonZambie** posted a thread selling the database on **Breach Forums** in March 2024. No specific remediation or containment actions detailed in the source material are reported.
## Attack Methodology
- Initial Access: Unknown.
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Compromise of stored, **encrypted passwords** suggests direct database access or key acquisition.
- Discovery: Unknown.
- Lateral Movement: Unknown.
- Collection: Targeted extraction of two specific database tables containing PII and contact information.
- Exfiltration: Data was packaged (implied) and offered for sale on Breach Forums.
- Impact: Data exposure and subsequent sale on the dark web.
## Impact Assessment
- Financial: Not specified.
- Data Breach: Millions of Personally Identifiable Information (PII) records compromised. Data included names, physical addresses, emails, job titles, company details, LinkedIn URLs, and **encrypted passwords**.
- Operational: Not specified, though sensitive data exposure is a significant operational risk.
- Reputational: High, due to the public offering of the data for sale by a known threat actor on a public forum.
## Indicators of Compromise
- Network indicators: None provided (URLs/IPs are sensitive and not shared publicly/defanged in the context).
- File indicators: Compromised database files/exports.
- Behavioral indicators: Threat actor posting data sale thread on Breach Forums under the name **KryptonZambie**.
## Response Actions
- Containment measures: Unknown.
- Eradication steps: Unknown.
- Recovery actions: Unknown. (The context focuses solely on disclosure.)
## Lessons Learned
- Data Security: Encrypted passwords were stolen, indicating that password hashing/salting mechanisms may have been insufficient or that the encryption method used was weak enough to be compromised during the data theft.
- Asset Management: Critical B2B data repositories housed within the group of businesses (subsidiaries specializing in AI-powered solutions) were vulnerable to mass exfiltration.
## Recommendations
- Immediate review and enhancement of password storage practices (e.g., utilizing modern, strong, salted hashing algorithms like Argon2).
- Conduct a comprehensive forensic investigation to determine the initial access vector used by KryptonZambie.
- Inventory all data held by subsidiaries operating in the B2B sector, ensuring strict segmentation and access controls are applied to PII databases.