ElSurveillance hacks and dumps two more dating sites; warns users about “Russian black hats”

The hacktivist known as ElSurveillance, whose operation is #EscortsOffline, is back with two more data dumps from dating sites. The first target was 24luv.com, where ElSurveillance claims he hacked and dumped 92,937 users’ email addresses and plain-text passwords. In a defacement on the site, ElSurveillance writes, in part: I compromised this website about four months ago and I have been watching it for couple of months now I finally decided to warn all the users and anybody who’s thinking about join this service This dating website runs under a Russian black hat cyber criminals who aims to collect all your data As much as possible so they can target you or sell it in the underground market forms You’re data/personal information ain’t safe, So you are And you better start thinking about the long term damage this may/might cost you, Your family and friends There are plenty of profiles out here which are fake and even the reviews are editable and more Download {92937} Hacked accounts “Email & password” in plain-text Make sure you change all your passwords And make sure you warn anybody you know who uses/used this website I did my best & you should do the rest Stay safe mate The message was followed by an encouragement to users to follow Islam and the way of Allah. The data dump includes 8,081 Gmail logins, 61,035 Yahoo logins, and 9,826 Hotmail logins. The second site was freedateusa.com, where ElSurveillance left the same defacement message. The database, uploaded to Sendspace, contains 127,395 email addresses and plain-text passwords, including 6,890 Hotmail logins, 42,450 Yahoo logins, and 25,664 Gmail logins. I asked ElSurveillance if he was serious about the claim that the site was run by Russian blackhats or if he was just trying to scare users off.  In a private chat, he replied that all of the sites that he has been leaking data from are developed by the same developers: They all share the same Admin username and only 3 different passwords [and are] Hosted on the same server They edited a profile that I created and the reviews They even messaged my (sic) on behalf of the users and asked for money or my account will get deleted The IP address who messaged me matched the IP Address of the admin logs including some of the profiles that were created and many more Passwords are store in plain-text and view-able to the admin I have been monitoring them for 2 months, And I don’t have a reason why should I scare the users, They will get punished anyway 🙂 ElSurveillance tells DataBreaches.net that in the next few days, he plans to include all the admin identities and login details in a final dump that will include more than 50 dating websites/databases and over 5 million emails and passwords in plain-text. “I already got the real identities of the developer(s),” ElSurveillance tells this site, “But still trying to figure out if the developer(s) and who runs the sites are the same person/group” A site lookup shows that both 24luv.com and freedateusa.com are hosted on datingcreator.com and are registered in Russia. When asked if he had any evidence that the sites are actually selling user data on the dark web, ElSurveillance acknowledged that he had no proof, as he hadn’t looked: But from the way how I have seen they collect/collected the users data, I strongly believe it’s only to be sold, These targets seems to me never been hacked before “Which I’m surprised” because they all have the same multiple vulnerabilities and the passwords are easy to guess, I never visited any darkweb before to see wither they already are in the darkweb or no, But it could be for the future plan In any event, we should expect another and larger data dump from ElSurveillance within the week.

79 escort sites hacked in past week: ElSurveillance

I’ll admit I sometimes ignore data dumps or hacks if they don’t fit my particular interests in reporting on breaches that impact health data or student data. But occasionally I remind myself that all breaches that expose personal information do need to be taken seriously. Yes, even those, as with the Ashley Madison hack, where some people may feel, “Well, they deserved it because they were behaving immorally.” In the spirit of not judging, then, it’s worth noting that a hacker who calls himself “ElSurveillance” contacted me about a lot of hacks he claims he has executed targeting porn sites and escort sites. The first hack, which is the only one he dumped all the data from, was drjizz.com. ElSurveillance, who self-identifies as Moroccan, dumped 30,263 email addresses, usernames, and plain-text passwords. Since drjizz.com’s site claims to have 20,000 registered users, there seems to be a mis-match. Inspection of the data dump suggests many of the email addresses appear to be throwaway addresses. An attempt to google some of the email addresses returned no results. The site was notified of the data dump last week and sent a sample of the data, but never responded to the notification or a request for confirmation or denial as to the authenticity of the data. @ElSurveillance informs DataBreaches.net that this hack took place last year, but he has been just sitting on the data since then and updated it before pasting it. Later in the week, ElSurveillance pointed DataBreaches.net to a paste identifying 71 sites he claims to have hacked. I asked ElSurveillance if the sites were (only) defaced or if he also downloaded user data. He replied that he had hacked and downloaded data: Some with login details such as Emails, Usernames and passwords and some the user’s private personal information including their IP adresses and so on As of now, he has not dumped any of the personal information from those 71 sites, but says he’ll be hanging on to it for a while. When asked why he was targeting escort sites, he provided DataBreaches.net with this statement: I have been running an operation under the hashtag #EscortsOffline against the escorts website and agencies, Because I strongly believe that our bodies are gifted from Allah (God) to us to look after and not to destroy, And I always hated the idea of people selling their bodies for money which it gives a chance for the escort agencies to take advantage of these people who are in need So many women carried (HSV, HPV, and HIV ….) because they thought that they can earn easy money by join these agencies inc men But what most of people don’t really know that 99% of these agencies are fake, Scams and always ready to make money on your behalf And for what I have seen in my attacks and the databases that I took, They create fake accounts, Profiles and display fake photos that their owners don’t even know that these website have them So I decided to use my skills in something that I believe is good, And hopefully one day the other hackers will carry the same attacks to spreading the words. But will any of the real people/accounts even learn that their information has been hacked? Probably not. So what good does this actually do? DataBreaches.net posed that question to ElSurveillance, who replied: … when you report the attack to the site owners probably you will see either they try to deny the attack or claim that the leaks isn’t real, And the reason why they will say that that is simple because they don’t want to lose their clients because once people start to hear about their data has been hacked, They will stop for a second and think about what they are doing which is exactly what I want them to do I’m here to do the good thing and not the bad thing, Dumping their data isn’t one of the things that I like to do but sometimes I have to do dump the leaks so someone else can hack into their account(s) because if you never harm these people at least once, They won’t receive the message  El Surveillance followed that response with another message: 8 escorts hacked http://justpaste.it/q16k  DataBreaches.net has made no attempt to notify any of the 78 sites listed in the two pastes or to verify the claimed hacks. Because while I do care about personal information, I’m just too busy dealing with leaks where I know the people/accounts are real. If anyone does independently verify the hacks at some point, please let me know and I’ll update this post.

UK: Privacy breach at Gloucestershire County Council exposed medical information online

When hacktivist @ElSurveillance recently tweeted that 14 government sites had the same vulnerabilities,  including MYSQL, Cross Site Script, etc., someone responded that councils were generally not considered “government.” DataBreaches.net had – and will continue to – consider them “government” entities, as local government is still government. And in this site’s experience, council breaches can involve sensitive information, such as when council social workers lose records on residents they are assisting, or when personal information of residents is improperly exposed online. As a current example, Sam Evans reports on a breach at Gloucestershire County Council that reportedly involves personal and medical information on vulnerable adults. GCC were notified of the data breach on April 3 but three weeks later, the sensitive documents remain available. Rachel Smith, Green Party County Council Candidate for Minchinhampton Division, discovered the data breach whilst researching social care procedures and funding. She said: “I was completely shocked when I found myself reading such detailed information about vulnerable adults. “The documents were there online for anyone to take a look at, and whilst the names were reduced to initials, the information was detailed and sufficient to make the people they related to identifiable.   Read more on Gazette.

Lone hacktivists persist, but are they making a difference?

Sometime around June, 2015, a hacktivist who calls himself @ElSurveillance on Twitter began defacing web sites of escort services. In July, 2015, I became aware of him and began reporting on his attacks, which usually include messages left on the sites about how the service and conduct is an affront to Islam. To get an idea of how prolific @ElSurveillance is, his record on Zone-H.org lists 299 defacements, of which 52 are single IP-address defacements, and 247 are mass defacements. Last month, I was surprised to read on Twitter that he was leaving for “a better place.” It turns out, the “better place” was not what I had understood that to mean. Now he’s back announcing new attacks, including an as-yet-unnamed Australian site: Hitting an #Australian #Escorts classifieds with a massive data-leak which includes emails passwords in plain-text and Nums#EscortsOffline pic.twitter.com/v4tmyJEHpd — ◖المـــراقــــــبة◗™ (@ElSurveillance) February 19, 2017 He’s also coding his own scanners: Admin Page Scanner under the development especially for #EscortsOffline#IOnlyNeedAWebBrowser4hacking pic.twitter.com/zDs4myKcr7 — ◖المـــراقــــــبة◗™ (@ElSurveillance) February 19, 2017 As we’ve seen with him before, it’s not unusual for him to hit a whole bunch of sites that may be on one server: 26 Escorts websites #hacked – https://t.co/TtuxXeY5kg – Slapping them all#EscortsOffline — ◖المـــراقــــــبة◗™ (@ElSurveillance) February 15, 2017 Usually, he neither exfiltrates nor dumps any personal information. His message is generally in the defacement message he leaves. But as I learned recently, defacements aren’t his only method of attack, although other methods are not under the “ElSurveillance” identity. So why does this site continue to cover him, you may be wondering. Well, frankly, I’m fascinated to watch someone who does not affiliate with others, but under his own nickname, has been on a consistent mission for almost two years now. He does not seek media attention, and generally doesn’t get it – probably because most people don’t care about escort service sites and most people using those sites are hopefully smart enough to use throwaway email addresses or names. And yet he persists. ElSurveillance isn’t the only hacktivist who persists, however. I recently became aware of “[Nine]” whose Twitter account is @NyuSecurity. His profile says: ~#Defacer ~#AntiSec ~  #StopKorrupcion# Mas de 5000 .com.ar hacked # #FreePalestine |DHKC ~ ACAB| Indeed, if you check his activity on Zone-H, you’ll find that he has 3,489 defacements, of which 287 are single-IP addresses and 3,202 are mass defacements since November of 2013. Unlike ElSurveillance, however, [Nine] has a number of issues that he lists in his defacement messages. Also unlike ElSurveillance, [Nine] exfiltrates and dumps data: Ministerio de Modernización Argentina – hacked by @NyuSecurity pic.twitter.com/GJRFQHd75S — [Nine] (@NyuSecurity) May 20, 2016 So do these somewhat lone hacktivists make a difference? I recently asked @ElSurveillance if he feels that his efforts have made any difference or had any impact. In DM on Twitter, he replied: To be honest I haven’t checked all the sites I attacked since I started the operation, But yes, I have seen some of them who were suspended or no longer in operation, especially the ones who claimed to be serving in the Islamic Countries….  And as an individual attacker, I strongly believe it worth my time. Somehow, it’s always the groups that get media coverage, whether they brand themselves as “Anonymous” or “Lulzsec” or some other name, but we should not lose sight of individuals who are out there, trying to change the world for issues they care about.  Whether you consider them criminals or heroes,  they are true hacktivists. Update: Post-publication, I received a reply to my email inquiry to @NyuSecurity as to whether he felt he was making a difference. His response: La diferencia principalmente trato de hacerla para conmigo, practicar, mejorar y asi. Puedo decir que muchas empresas y organismos del Estado cuentan con mas seguridad luego de que yo expusiera una brecha. Tambien puedo decir que muchos han escuchado mi mensaje y han recapacitado en cuanto ha aquello que iba mal. So he, too, feels like he is making some difference and that his targets are hearing his message and not just increasing their site’s security, although even that could be considered having an impact.

Islam-based #EscortsOffline campaign continues to leak users’ data

For about one year now, I’ve been covering the hacktivism of a self-identified Moroccan hacker known as ElSurveillance (@ElSurveillance on Twitter). Other media outlets have been starting to pay more attention to him recently, too. As he had explained to me in December, ElSurveillance defaces and hacks sites advertising escort services or that have adult themes for religious reasons.  Such services violate Islam, he tells me. Out of all the hacks and hackers I have covered on this site, I think ElSurveillance’s activities are probably one of the purest examples of hacktivism that I have seen. I may not share his goals, but I never seen any indication of malice or greed on his part (I’m referring to ElSurveillance as “he,” but of course, I can’t know for sure).  I’ve seen no evidence that he is using the data for any purpose other than trying to shame or force sites to stop what he considers to be morally unacceptable conduct. And occasionally, he diverts to other attacks, like his recent attempt to get the attention of a town in the UK that was vulnerable to SQLi. This week, ElSurveillance contacted me to tell me about four of his more recent attacks and data leaks. One leak consisted of 12,738 records containing username, email address, and passwords (all plaintext) from afrikadating.com. Because the site did not appear to me to be an escort service but rather, just a dating site, I asked him why he targeted it. In private communications on Twitter, he replied: I’m after any site that claims to be providing any sexual services in the Islamic Countries, That site had around 33 profiles who claim to be providing sex services in Algeria, Tunisia, Egypt, I asked the admin to remove them, They refused, So I took Control of it, I removed these profiles and published the users login details. He added: I don’t usually go after these websites, But when they cross the line. They get punished. In another incident, ElSurveillance attacked  reaach.com  and dumped a member’s table with 1,489 records with  ID, username, email address, hashed passwords, and other personal details. As is this site’s policy, I am not linking to any of the data dumps, but inspection of this one revealed that some people uploaded pictures, resumes, and other personal information. Reaach.com advertises itself as a one-stop business profiles site for the UAE. ElSurveillance informs DataBreaches.net that he had contacted REAACH a few months ago about some escort profiles on their web sites. “They removed them but only from the search engine and not from their database,” he stated. Inspection of the leaked database confirmed that there were still such listings in there.  In a third incident, ElSurveillance attacked an Australian adult dating site with 67,122 users — adultsinglesites.com.au. Leaked data did not include any names, but did include IP addresses, email addresses, and hashed passwords. But not only did he attack adultsinglesites and leak data in three data dumps, ElSurveillance redirected their home page to his Twitter account, @ElSurveillance. As of today, the site does not appear to have regained control over that, even though the hack was no later than July 1. And in one more incident that he shared with DataBreaches.net, ElSurveillance attacked PinkDate in the UK. That leak included 1,638 records with email addresses and MD-5 passwords, many of which appear in plaintext, too. One of the more unusual aspects to ElSurveillance’s hacktivism is that he does seem to contact entities first and request that they remove escort service listings. In his Twitter timeline, I saw mentions of other recent attacks of his, including keeping one site knocked offline for at least four days now for “promoting escort services in Dubai:” #KilELSlar – https://t.co/ZnzBwlaUWM – Has been down for 4 days straight, For promoting #escort services in #Dubai– #EscortsOffline#Islam — ◖المـــراقــــــبة◗™ (@ElSurveillance) July 14, 2016 Perhaps the most surprisingly civil exchange was one ElSurveillance had with @ConnectBuzz, who have seemingly agreed to revise their system to remove offensive listings. Of course, not everyone will agree with ElSurveillance’s mission, and some people have challenged him on that. Others, however, appear to be cheering him on and suggesting other sites for him to look into. I don’t know if ElSurveillance will have any significant impact on the presence of online escort services, but he certainly seems to be on a one-man campaign to get entities to not market such services in Islamic countries. When I asked him if he thought he was having an impact or making a difference, he replied: Yes definitely especially for the reputation of my religion, People and culture, Many of these websites claim to be based in the Islamic Countries which we never welcome any such a behavior, And also I make a difference by reporting the vulnerabilities to the good guys instead of abusing them. DataBreaches.net will continue to follow his hacktivism and campaign.

Porn Sites Hit By Malware: Malwarebytes

Payal Patak reports a malvertising attack on hundreds of porn sites  left millions of people’s devices infected, beginning in November. In this case, the ads were hosted and served by AdExpansion, an adult ad network: US-based security firm Malwarebytes detected popular websites such as xHamster, RedTube, PornHub and the likes to have been seriously attacked, which caused their data being compromised. These websites are moderately popular and attract several million visitors each day. Other porn-sites recordely hit by malware were DrTuber, Nuvid, Eroprofile, IcePorn and Xbabe. Read more on Korea Portal. Malwarebytes had reported the problem at the beginning of December. AdExpansion had confirmed it, noting that although they had disabled the ads within hours of notification, they had been unable to prevent the malvertiser from creating new accounts. So malvertising on porn sites and ElSurveillance hacking escort services and porn sites. And Ashley Madison data getting dumped. How safe do you feel engaging in online pursuits of these kinds?  By now, you should be prepared that any account you use may wind up compromised and that you may wind up exposed.

More escort-related services hacked

Of course, the big news today was the hack of AshleyMadison.com and the potential embarrassment it may cause to those using its services to have affairs. Not to be deterred from his mission, however, @ElSurveillance continued attacking escort-related sites, posting the same message on their home page that he’s posted in the past: Dear Admin and the clients What such a great example you have given to the world On how we can teach and raise our next generations So they can live a much better life, Server and save our Planet instead of just wasting their money and help Spread the viruses just like every single stupid Government in every single country do these days Since you came all the way to here, They’re two things That you can do while still viewing this page 1 – Turn on your volume and listen to the Qur’an & Just Listening to your feelings instead of listening to the Media and the stupid ISIS 2 – Have a look at your Logs which includes your IP Today’s batch of escort-related services defaced/hacked by @ElSurveillance, with links to their mirrors on Zone-h.org: ohcecilia.com  | Mirror: https://zone-h.org/mirror/id/24614724 seductivealchemy.com | Mirror: https://zone-h.org/mirror/id/24614724 sofiadelterra.com  |Mirror: https://zone-h.org/mirror/id/24614736 taliaamour.com  | Mirror: https://zone-h.org/mirror/id/24614749 tabithalayne.com   | Mirror: https://zone-h.org/mirror/id/24614762 tawnybrie.com  | Mirror: https://zone-h.org/mirror/id/24614806 Note: @ElSurveillance does not appear to be dumping any personal data on users, other than their IP addresses and browser info that shows up in the sites’ logs. But the hacks are are yet another reminder that if you don’t want your details and activity on a site showing up in a data dump, are you using a throwaway account and a proxy (unless, of course, you have to give your credit card details to get services or have your account deleted, in which case you better hope for strong encryption and no pissed-off employees who want to screw their employer!) Alternatively, you could not visit/use those sites, which seems to be what @ElSurveillance is hoping you’ll choose to do. Update: @ElSurveillance informs DataBreaches.net that he has acquired user data from sites but hasn’t dumped it – yet.

Another escort service-related site hacked with data dumped

@ElSurveillance, who has attacked a number of escort service-related sites such as the MeetMeInYourCity.com hack, has released another data dump tonight – this one for Captain 69™ Worldwide Escort Reviews. @ElSurveillance posted 2,653 usernames and passwords from the UK site, with a note pointing people to crackstation.net to crack the sha256 to plain-text passwords. Well, at least the site tried to secure their passwords somewhat, which is better than what we’ve seen with other sites. If you ever registered for the site, change your password for the site and any other site where you may have re-used that password.

MeetMeInYourCity user email addresses and passwords dumped (updated)

From MeetMeInYourCity.com, a site that describes itself as a “directory listing of independent escorts, exotic dancers, strippers’ adult entertainers, masseuse and escort agencies,” here’s part of their Terms & Conditions: Secure technology is used to ensure your sensitive information is secure and protected from unauthorised access or improper use. […] Your personal password is confidential and is encrypted to ensure its secrecy. So why is there a data dump by @ElSurveillance of an alleged hack that shows 2,500 users’ email addresses with clear-text passwords? DataBreaches.net sent an inquiry to MeetMeInYourCity.com last night to ask them to confirm or deny the data is from their database, and why, if it is their data, the passwords are in clear text. No response has been received as of this post, but this post will be updated if one is received. MeetMeInYourCity is not the only escort-related site attacked by @ElSurveillance, whose profile says “An owl #Hacktivist – I aim to deliver a tiny message to the escort agencies, #EscortsOffline is their actual flag – I always use the front doors – #Dos.” See numerous instances of defacements on Zone-H. In the defacements, ElSurveillance leaves the following message: Dear Admin and the clients What such a great example you have given to the world On how we can teach and raise our next generations So they can live a much better life, Server and save our Planet instead of just wasting their money and help Spread the viruses just like every single stupid Government in every single country do these days Since you came all the way to here, They’re two things That you can do while still viewing this page 1 – Turn on your volume and listen to the Qur’an & Just Listening to your feelings instead of listening to the Media and the stupid ISIS 2 – Have a look at your Logs which includes your IP In the meantime, if you ever signed up for MeetMeInYourCity.com, you might want to change your password for that site and any other sites if you re-use passwords across sites. Update: MeetMeInYourCity.com still has not responded to the notification and request for response, but @ElSurveillance provided the screencap below as proof of access to their server: