The Expert's View with Jeremy Kirk

Data Loss Prevention (DLP) , Governance , Multi-factor Authentication

LinkedIn, MySpace Hacker 'Urgently' Needs Money

Market for Latest Mega Breaches is Disappearing Fast
LinkedIn, MySpace Hacker 'Urgently' Needs Money
Tessa88 has been seeking bitcoins for allegedly stolen data.

The market for stolen data is like any other: The less fresh the goods are, the harder the sell. And that includes the data released last month in an unprecedented round of mega breaches including MySpace and LinkedIn (see 'Historical Mega Breaches' Continue: Tumblr Hacked).

See Also: Webinar | The Future of Adaptive Authentication in Financial Services

The data has circulated so widely among security researchers, companies and hackers that its value has fallen. Plus, companies that are affected are on close watch for suspicious login attempts.

Tessa88 says he only has made 100 bitcoins, or about US$66,740, which he claimed to have given to a good cause. 

And the alleged source of some of the breaches seems to be aggressively advertising the data to whomever might pay.

The LinkedIn and MySpace breaches, which were confirmed by both companies in May, came to light by someone going by the Jabber instant messaging handle "Tessa88@exploit.im." LeakedSource, a breach notification service, said it had been passed the data from those two services by Tessa88 (see LeakedSource: 'Assume Every Website Has Been Hacked').

My Chat with Tessa88

I've been trying to reach Tessa88 on Jabber for a while. It's believed that Tessa88 is a man living Russia. It's also suspected several people might be using the same instant messaging account, including a woman. For simplicity's sake, I'll refer to the person as male.

Earlier this week, Tessa88 popped online and sent me an unsolicited spammy message: "vk.com 130.000.000 - 1btc twitter.com 100.000.000 2btc." The message was sent unencrypted, a sign that Tessa88 isn't being too careful these days or perhaps just doesn't care much about his security. The message felt like it had been sent to everyone in his contacts list.

Both of the batches of data Tessa88 offered are questionable. Vkontakte, the Russian social networking service, never directly confirmed it was breached, but said the data contained inactive logins and that the service strengthened its security in 2012. The alleged Twitter breach turned out to be fake: While some of the credentials may have worked, the list was an amalgamation of stolen data from other sources. Twitter said its networks weren't compromised.

Those releases haven't helped Tessa88's reputation. Alex Holden, founder and chief information security officer for Hold Security, says Tessa88's approach of releasing real data to bolster his reputation, but then duping buyers with questionable data "may be the mark of a good salesman." But he may simply not have any more legitimate dumps.

"The fact that we've been out two or three weeks since the last breach revelation is making me think that his streak is coming to an end," Holden says.

I was eager to learn more about what was going on and asked Tessa88 if there were still buyers for the data.

Tessa88 had been trying to sell stolen data on underground forums since early March. But the more accessible place to find the data for sale was on TheRealDeal, an underground market that uses the Tor anonymity network. Someone nicknamed Peace offered several data sets. It's not clear why Peace and Tessa88 have been working together.

I asked Tessa88 why he needed the money. In an interview earlier this month, Peace told Wired he'd made more than $35,000 selling the LinkedIn, MySpace, Tumblr, Fling and MySpace data sets.

Tessa88 says he only has made 100 bitcoins, or about US$66,740, which he claimed to have given to a good cause. I asked him why it's suspected that several people, including possibly a woman, use the Tessa88@exploit.im account. He didn't really answer, saying he is indeed a real person.

'We'll Have a Long Talk ...'

All signs point to declining credibility for Tessa88. The mislabeled data breaches have been quickly unraveled. His spammy instant messaging blast may be a last-ditch attempt to extract whatever value is left from whatever data remains.

Troy Hunt, who runs the data breach notification service Have I Been Pwned?, says that Tessa88 claimed to have data belonging to Dropbox, but it turned out to be a mishmash of Tumblr data and some Twitter accounts.

"These guys rely on credibility in order to elicit money from buyers, and when that's eroded it will have to impact confidence in future sales," Hunt says.

I had many more questions for Tessa88, including why data from the legitimate breaches has bubbled up years later and how services that should have had strong security in place could have been breached in the first place.

Before he stopped chatting, Tessa88 said he could talk about how he "cheated" LeakedSource, the website he shared data with. His relationship with LeakedSource is also fuzzy. It's unclear why he provided the data to that website when he was trying to sell it elsewhere.

"We'll have a long talk," he promised before falling offline.



About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.