Team GhostShell Returns with a Massive Release of Hacked Credentials

Team GhostShell has come out of retirement with a bang. In 2013, the group released millions of usernames and password related to all industries and countries. They have been dormant for almost three years until an announcement on June 28. The following was posted on their Twitter account today: 

 GhostShell returns

According to our research, over 500 different databases were dumped from sites and sub-domains. Most of these databases involve education and government  entities, and a basic scan of these sites has shown account information of over 17,700 users. Team GhostShell has posted email accounts and passwords as well as many other usernames and passwords found on the victimized vulnerable databases.

According to CyberWar News, “After making contact with TeamGhostShell, they had explained to me that not all data is going to be leaked from targeted sites and as an example of this got shown an exclusive set of data from an Australian cloud provider (redacted for now) which contains 1,500+ full banking information such as full names, home addresses, mobile contact numbers, contract dates and probably worst of all Tax file number. (provider has been contacted at time of publishing)”

According to our research, over 500 different databases were dumped from sites and sub-domains. Most of these databases involve education and government  entities, and a basic scan of these sites has shown account information of over 17,700 users. Team GhostShell has posted email accounts and passwords as well as many other usernames and passwords found on the victimized vulnerable databases.

According to CyberWar News reporter Lee J, “After making contact with TeamGhostShell, they had explained to me that not all data is going to be leaked from targeted sites and as an example of this got shown an exclusive set of data from an Australian cloud provider (redacted for now) which contains 1,500+ full banking information such as full names, home addresses, mobile contact numbers, contract dates and probably worst of all Tax file number (TFN). (provider has been contacted at time of publishing)”

Team GhostShell has also built a new pastebin next to their existing pastebin account with a paste titled “Dark Hacktivism – Information is everything.” The paste goes in to some of the details regarding why the entities were targeted and warns that many others are vulnerable to a similar attack. While education and government entities are prevalent in the list, healthcare, lifestyle, and other well-known companies are present.

To see a list of compromised environments, click here.

If you happen to be a user or consumer of any of the breached sites, you may want to reach out to the entity and inform them that this data has been leaked. In the meantime, end users should change passwords used to access any of the breached sites and any other sites that share the same password. (Ex. Social media networks, online banking, patient portals, etc.) 

Team GhostShell’s call to action for the audience of their master list – “If you want to help them get patch then please report the vulnerabilities” – is an unusual one, one that suggests that in a way, they want to be good stewards of the Internet. On the other hand, they stated that they are going to continue this campaign and others like it until they get caught. 

Though Team GhostShell discusses their motivation on their pastebin site, all the details behind the technical exploit have not yet been released. This data breach highlights the importance of changing your passwords, choosing strong passwords, implementing a regular patching schedule, and staying informed of recent security events through security blogs, bulletins and newsletters.

References: 
CyberWarNews
Computerworld