Feb 232018

More details have emerged about a breach previously reported on this site on February 16. The breach involves RoomSurf, a commercial service to help college students find roommates.

As I reported at the time, RoomSurf did not respond to inquiries this site had sent about a breach notice email its members received. And that’s where things remained until yesterday, when I received a file via email that appeared to contain RoomSurf user data.

The file, roomsurf_premium_users_2012_part_1.csv, was also sent to RoomSurf, RoomieMatch, and Roommates.  Inspection of the file revealed that it contained 3059 user records with the following fields:

txn_id,”ipn_track_id”,”user_id”,”verify_sign”,”notify_version”, “payer_id”, “payer_status”,”payer_email”,”first_name”,”last_name”, “contact_phone”, “residence_country”,”payment_type”,”btn_id”,”receiver_email”, “receiver_id”, “address_street”,”address_name”,”address_city”,”address_state”,”address_zip”, “address_country_code”, “address_country”, “address_status”, “item_number”, “item_name”, “quantity”,”mc_currency”,”mc_gross”,”mc_fee”,”tax”,”payment_gross”,

DataBreaches.net reached out to RoomSurf yet again for comment. Once again, there was no response. But while RoomSurf continued to ignore inquiries, the person who emailed me the file was willing to answer some questions.

In a private chat, the individual, who I’ll call “rmsrf,” claimed to have the complete source code for the main webpage at roomsurf.com, for textsurf.com, and a 20 GB dump for RoomSurf’s database of more than 1 million user profiles.

When asked whether the data had been acquired by a hack or from a leak, he responded, “Well if you could only see their source code you would not call it hack or leak :). its like swiss cheese ‎- full of holes. legacy php code 7+ years old.”

That description or assessment of their security doesn’t exactly sound like the “commercially reasonable” security RoomSurf assures users it provides:

Roomsurf uses commercially reasonable safeguards (physical, managerial, and technical) to preserve the integrity and security of your Information. However, we cannot ensure or warrant the security of any Information you transmit to Roomsurf and you transmit any such Information at your own risk. Once we receive your transmission of Information, Roomsurf makes commercially reasonable efforts to ensure the security of our systems. However, please note that this is not a guarantee that such Information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.

As recently as yesterday, rmsrf claimed, he had shown RoomSurf one more ‎hole in their security. “I was able to login as any of their users, using http referrer header,” he told DataBreaches.net.

On inquiry, it turned out that ‎rmsrf‎ had been contacting the site fairly frequently (“i send them email everyday”) but they ignored emails and requests to pay them to not disclose and to show them where all the security holes were. Based on a Reddit post from last week, DataBreaches.net asked him whether he had left a defacement message and demand for money on the site when he attacked it. He acknowledged leaving a demand for 5 BTC. The site removed the demand message within a day, he said.

Not pleased with his requests for money being ignored, rmsrf claims to have created a Facebook account and used it to post messages on RoomSurf’s FB page and university group pages to warn users, “But I got blocked from FB. :)”

But despite what RoomSurf’s CEO had told members in their email – that the breach involved “certain user contact information that included names, phone numbers, and email addresses,” rmsrf claimed that other tables included students’ date of birth and messages that they were sending each other as part of searching for roommates.

As proof, rmsrf provided DataBreaches.net with some data from users_table. That table contained data fields for

id,”ppid”,”fbid”,”user_group_id”,”username”,”fbusername”,”password”,”email”, “phone”,”ppemail”,”school_id”,”semester_id”,”year”,”class_year”,”major_id”, “roommate_type_id”,”preferred_residence”,”first_name”,”last_name”,”locale_id”, “gender_id”,”dob”,”hometown_city”,”hometown_state”,”profile”,”interests”, “contact_criteria”,”facebook_uri”,”youtube_uri”,”activation_code”,”last_visited”, “last_modified”,”created”,”status”,”payment_status”,”upgrade_message_status”, “survey_status”,”match_status”,”like_status”,”receive_messages”,”receive_newsletter”, “survey_visible”,”facebookid”,”payment_date”,”subscribed”,”logcount”,”sent_messages”, “referral”,”payment_email”,”referral_user_id”,”user_referral”,”upgradeVisit”

Here’s a redacted example of the kinds of information some users submitted there:

101274,NULL,xxxxxxxxxxx,6,”Matthew30″,NULL,”4495454e5fb3bfd24561ed48aaf93c31″,”facebook”,”(xxx) xxx-xxxx”,NULL,808,1,2017,2018,22,2,”I’m already in a 2 bed 1 bath duplex and need roommate”, “Matthew”,”XXXXX”,NULL,”M”,”199x-xx-xx”,”Little Rock”,”AR”,”Hi,
My name is Matthew.
I’m 24 years old and currently looking for a new roommate.
I love to hang out with friends, watch tv and movies, play video games, etc
Message me to find out more about me!”

Additional details listed his favorite type of music, shows, etc.

DataBreaches.net was able to verify that the entries in the file corresponded to actual Facebook profiles and identifiable individuals.

A second file provided by rmsrf, called, “message” contained the following fields:
id,”sender_id”,”recipient_id”,”message_type_id”,”title”,”message”,”created”, “status”

Here’s a sample of messages from that file, with identifiers/IDs removed by DataBreaches.net:

“Hey! I’m going to be a freshman this coming fall and my roommate and I are looking for a third! Let me know if you’re interested!
2018-01-29 00:48:41”,

Hey Micky, just wondering if you have a roommate for the fall of 2018?
Luke “,”2018-01-29 00:33:35”

In some of the interactions, potential roommates discussed their majors and interests and what kind of roommate they would be.

So why did rmsrf go after RoomSurf? Was it just low-hanging fruit or was there some gripe or other reason?

Rmsrf replied, “i have personal reasons but one i can share with you, is that they sold/rented my data to unversities. i started recieving marketing email from universities ‎that i never heard of.”  When asked how he could be sure that RoomSurf was the provider of their data to universities, Rmsrf noted that he used a unique email address that was only associated with their site.

But that wasn’t rmsrf’s only gripe. “also,” rmsrf continued, “they ask $20 from users, earn $1M+ ‎and dont spend some of it on security.”

Hopefully, they have invested some of it now if their security is as bad as rmsrf describes. But as it is, rmsrf appears to have data of more than 1 million young people who used RoomSurf’s services. And that includes their contact info and their date of birth. This may not be the most sensitive information, but it can’t be good. Might this have been a situation in which a firm should have offered to pay a bounty in exchange for a nondisclosure agreement, certified destruction of data, and information on where the security holes were that enabled the attack? Or did RoomSurf do the right thing by not responding to demands? What do you think?

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>