Full Report
In January 2021, the parody site Windows93 suffered a data breach of the Myspace93 sub-site after a beta application was exploited to download server files. The compromised data was later leaked in June and included 46k Myspace93 accounts containing email and IP addresses, usernames and passwords stored in plain text.
Analysis Summary
# Incident Report: Windows93 / Myspace93 Data Breach
## Executive Summary
In January 2021, the parody website Windows93 experienced a security breach targeting its Myspace93 sub-site. An attacker exploited a vulnerability in a beta application to gain unauthorized access to server files, resulting in the theft of 46,100 user accounts. The compromised data, which included plain-text passwords, was subsequently leaked online in June 2021.
## Incident Details
- **Discovery Date:** June 2021 (Public leak)
- **Incident Date:** January 2021
- **Affected Organization:** Windows93 (Myspace93 sub-site)
- **Sector:** Entertainment / Parody Web Services
- **Geography:** Global / Internet-based
## Timeline of Events
### Initial Access
- **Date/Time:** January 2021
- **Vector:** Exploitation of a Beta Application
- **Details:** An unpatched or insecure beta application on the server was exploited, allowing for unauthorized file downloads.
### Lateral Movement
- **Details:** Not explicitly disclosed; however, the attacker moved from the beta application's environment to the server files containing the production user database.
### Data Exfiltration/Impact
- **Details:** The attacker downloaded server files containing the user database. A total of 46,100 records were exfiltrated.
### Detection & Response
- **How it was discovered:** The breach was confirmed following the public leak of the data in June 2021.
- **Response actions taken:** The organization issued an official disclosure statement (dearCommunity.txt) and advised users to change passwords.
## Attack Methodology
- **Initial Access:** Exploitation of a vulnerable Beta Application.
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed (likely unnecessary if the application had direct read access to server files).
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Access to database/server files containing plain-text credentials.
- **Discovery:** Directory traversal or file inclusion via the beta app to locate database files.
- **Lateral Movement:** Not disclosed.
- **Collection:** Bulk download of server files.
- **Exfiltration:** Standard web-based download.
- **Impact:** Unauthorized disclosure of 46k user records.
## Impact Assessment
- **Financial:** Minimal direct financial loss reported; indirect costs related to remediation.
- **Data Breach:** 46,100 accounts comprising usernames, emails, IP addresses, and plain-text passwords.
- **Operational:** Disruption of the Myspace93 sub-site and necessity for security patching.
- **Reputational:** Significant impact due to the storage of passwords in plain text, which is a major security lapse.
## Indicators of Compromise
- **Network indicators:** Activity originating from the attacker's IP (not disclosed).
- **File indicators:** Unauthorized access logs to sensitive server files.
- **Behavioral indicators:** Unusual traffic patterns to the beta application endpoint.
## Response Actions
- **Containment:** Removal or patching of the vulnerable beta application.
- **Eradication:** Securing server files and rotating any internal system credentials if necessary.
- **Recovery:** Public notification of the breach and instructions for users to reset passwords.
## Lessons Learned
- **Key takeaways:** Beta applications often lack the rigorous security vetting of production code and should not be hosted on the same server as sensitive production data.
- **What could have been done better:** Passwords should never be stored in plain text; hashing (e.g., Argon2 or bcrypt) would have mitigated the impact of the data theft.
## Recommendations
- **Encryption/Hashing:** Immediately implement strong cryptographic hashing and salting for all user passwords.
- **Environment Isolation:** Host beta applications in isolated environments (containers or separate servers) to prevent cross-site contamination/exploitation.
- **Least Privilege:** Ensure the web server user only has the minimum necessary permissions to the file system.
- **Regular Audits:** Conduct periodic vulnerability scans and penetration testing on all sub-sites and applications.