“db8151dd” Leak That Exposed 22 Million Sourced to Covve

The owner of a leaked database, dubbed “db8151dd”, has been identified. Those 22 million users belonged to address book service Covve.

Last week, a mysterious leaked database exposed about 22 million users. Those working in the security field tried to locate the owner of the database, but were unable to figure out who the owner was. So, they names this large database “db8151dd” in the absence of pinpointing an owner. From a report on 9to5mac at the time:

A massive data breach dubbed db8151dd has exposed the records of 22M people – including addresses, phone numbers, and social media links. But the source of the data is a mystery …

I got an email alert this morning from the haveibeenpwned.com site telling me that my details were included. The exposed data appears extensive.

Email addresses, Job titles, Names, Phone numbers, Physical addresses, Social media profiles

However, Troy Hunt, who runs the site, said that nobody has been able to identify where the information came from.

I was reticent to write this blog post because it leaves a lot of questions unanswered, questions that we should be able to answer. It’s about a data breach with almost 90GB of personal information in it across tens of millions of records – including mine. Here’s what I know:

Back in Feb, Dehashed reached out to me with a massive trove of data that had been left exposed on a major cloud provider via a publicly accessible Elasticsearch instance. It contained 103,150,616 rows in total […]

The global unique identifier beginning with “db8151dd” features heavily on these first lines hence the name I’ve given the breach. I’ve had to give it this name because frankly, I’ve absolutely no idea where it came from, nor does anyone else I’ve worked on with this […]

It’s mostly scrapable data from public sources, albeit with some key differences. Firstly, my phone number is not usually exposed and that was in there in full. Yes, there are many places that (obviously) have it, but this isn’t a scrape from, say, a public LinkedIn page. Next, my record was immediately next to someone else I’ve interacted with in the past as though the data source understood the association. I found that highly unusual as it wasn’t someone I’d expect to see a strong association with and I couldn’t see any other similar folks. But it’s the next class of data in there which makes this particularly interesting.

This, of course, is by no means the first time a random database was just floating around in the ether waiting to be picked up by anyone who happened to find it. Last year, a database breach or leak exposed 80 million Americans. No one was able to determine where that one even came from. So, such a situation isn’t unprecedented. However, it doesn’t make it any less worrying that such a large haul of data was just floating around in cyberspace unprotected.

In this case, however, the owner of the database was finally pinpointed. It turns out, the database is owned by address service Covve. From Portswigger:

Covve, the popular address book app, has been identified as the source of a data breach that exposed the details of nearly 23 million individuals.

Troy Hunt, founder of Have I Been Pwned?, tweeted on Saturday (May 16) that the app had been pinpointed as the source of a publicly accessible database that he had been investigating since February.

Hunt duly updated his blog post outlining the mystery of the 90 GB “treasure trove”, published the previous day, to confirm that “community sleuthing” had identified Covve as the data source.

He added that he had already been in touch with the Cyprus-based company about the breach.

In a security alert issued on Saturday, Covve confirmed that a third party had “gained unauthorized access to one of our legacy, decommissioned systems”.

The company added: “It appears at this stage that contact data such as name and contact details was accessed, that the data cannot be associated with specific users and no user passwords were compromised.”

Covve said it first learned of the breach on May 15 and “immediately launched an investigation”.

The statement continued: “We have taken all necessary measures to ensure that the security incident has been isolated and have confirmed that the system in question does not pose any further risk as it had already been decommissioned.

“We contacted and are in talks with the regulator, we have informed our users and will continue to post updates [on the security alert].”

Perhaps the good news in all of this is that the leaking data is being fixed and that regulators and users alike have been notified of the incident. This is arguably a much better better outcome than the 2019 database leak/breach because we don’t know if action was ever taken to secure the data. Additionally, we don’t know if users were notified. So, the good news is that, in this case, the story had a very different result.

May has truly felt like we were going from one security incident to another. It started with the Webkinz data breach which compromised 23 million users. That was followed up by the GoDaddy data breach. After that, there was the large Tokopedia data breach which compromised 91 million users. That breach also sparked a lawsuit in Indonesia.

After a brief pause, the security incidences just continued starting with Unacademy. That saw 22 million users compromised. After that, we saw the largest incident so far this month with the Cam4 data leak. That saw 10 billion records exposed. That was followed up by the ironic weleakdata data breach. That saw hacker information sold on the dark web. After that was the MobiFriends data breach. That saw 4 million accounts compromised. Next was the Chatbooks data breach. Finally, we saw the law firm that represents US president Donald Trump and other celebrities like Lady Gaga get hacked. About 756GB was stolen and held for ransom.

At this point, it feels like all this happened over the course of the last few months. Instead, all of this was reported by us just this calendar month alone. We still have more than a week left before the end of the month, so we aren’t likely even close to finishing this month’s security incidences.

Drew Wilson on Twitter: @icecube85 and Facebook.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: