Revenge is mine, saith a hacker. No big deal, saith a researcher.
Vinny Troia, a self-described security researcher and and the owner of cybersecurity firms Night Lion Security and DataViper.io, will be the opening keynote speaker at SecureWorld’s virtual conference this coming Wednesday. He has promoted himself and his talk by claiming that he will reveal all of the identities of key members of thedarkoverlord, GnosticPlayers, and ShinyHunters.
But while he may have been working on finalizing his presentation, someone who may be upset by his upcoming talk has been busy trying to discredit him.
DataBreaches.net received an anonymous tip earlier today pointing this site to a site where someone makes it clear that they are out to destroy his career.
The site contains a zine and other materials, including a list of allegedly all of the databases DataViper.io has amassed. That list, which DataBreaches.net is not reproducing here, includes well-known breaches, but also appears to include more data on some than was made publicly available.
Some of the databases on DataViper.io appear to come from leaks that Troia found, while others may be databases that Troia might have bought from hackers or data resellers, allegedly on behalf of his clients. Troia has occasionally claimed that he is acting ethically if he makes purchases on behalf of his clients with their authorization. It’s not clear, however, whether that is always lawful. The government has tried to provide some guidance as to under what conditions researchers or agents of data owners might purchase stolen data lawfully and under what conditions they might be setting themselves up for legal problems. DataBreaches.net is not a lawyer and offers no opinion on whether Troia’s conduct is always legal, although like Brian Krebs, this blogger has had concerns about reports about him (as well as false statements he has made about me to others).
A number of threat actors have claimed that he buys, sells, and trades databases with them, and acts just like any other threat actor, including trying to get them to give him information he wants in exchange for other information, such as offering to tell one threat actor what the government is doing or not doing about something in exchange for the threat actor giving him something he wanted.
From the zine the anonymous individual created:
DataViper is a data lookup site much like WeLeakInfo, LeakedSource and the others that came before it . For some reason Vinny thinks he’s above the law here given that the aforementioned sites have all been shutdown or seized by Law Enforcement . He will claim that he only gives access to organizations and LE but if you look through the data he gave access to DDB ( a member of GnosticPlayers  ) for several months ( August 27th 2019 to March 4th 2020 ) during which time DDB hacked many more sites  . I suspect as part of this relationship Vinny would get the data that DDB hacked in return which would make him complicit in DDB’s activities . If you go through the release list he has most if not all the Gnosticplayers data as a result of his special relationship with them . Unfortunately the DDB account was deleted before I compromised DataViper and its search history erased so those logs are not available but it’s easy to imagine how useful this lookup would be to the ShinyHunters/Gnosticplayers group as they mainly target developer Github accounts with password reuse . He also gave access to other people from RaidForums and to the WeLeakInfo admin  . https://www.dataviper.io/blog/2019/gnosticplayers-part-1-nclay-ddb-nsfw/
 If you look in the DataViper production DB in the user_activity table for references to DDB you can see that Vinny’s account makes a lot of updates to the profile details of DDB beginning in August 2019 and ending in March 2020 when he deletes the DDB account .
 Look for [email protected] and [email protected] in the user_activity table .
Obviously, allegations and accusations are just that. But is this a case of where there’s smoke, there’s some fire?
DataBreaches.net contacted Troia for a statement about the hack. He responded:
The post and everything was incredibly overblown, designed to discredit my talk and report which are coming out this week. The only thing they accessed was an old development server. And the “data” they are claiming came from my server is nothing more than NSFW and Gnostic’s data that has been on sale for months.
They are just upset about the fact that I can tie Shiny, Gnostic and TDO all together.
That seems quite true– that someone is upset — but are the data solely the NSFW and GnosticPlayer data that have already been publicly circulated? Doesn’t DataViper.io claim to offer access to private and undisclosed breach data. Will those data be on sale on the dark web, too?
Since I started working on this post, there have been more developments. After I contacted Troia for a statement, he started tweeting about the situation. And then things escalated a bit more, with another Twitter using posting a link to a paste. That paste provides examples of data found on DataViper that have allegedly not been publicly revealed before, I think the post is inaccurate about verifications.io as most of that has been released publicly, but there are other databases where I think the anon writer is correct and that the data have not been made public before now.
The zine-writer also notes that they still have access to the server:
You might be wondering how DataViper was hacked  . At the present moment I still have access to the DataViper servers and I think I will have access to them for the foreseeable future so I will not be revealing the entry points in this zine (but if you spot it in the source feel free to exploit it yourself) .
Just for a taste though you can look at the API docs  and scroll to the very bottom where you can get a free API key
( KDWkI01TERFzFKYNYwKIjh1vXmCv1g9Z0fcCLEzgg4oA9aNZQLHfjaXlqZ3bqkonMcI3Zm7vWLVNs7UqWnBT7XGxBDaea02ozkIU ) and an admin login ( dvdevops : [email protected] ) .
I may release more details in a follow-up zine if circumstances change .
Access has been maintained for over 3 months and hundreds of GB of data was exfiltrated without anyone noticing, even when he had to pay more money to DigitalOcean for more bandwidth . Great endpoint protection you got there .
At the present time, Troia continues to try to downplay the seriousness of the attack:
For anyone looking for a public statement about Data Viper. This “hack” only proves that i have struck a nerve and my talk next week is spot on. As for anything “stolen”, nothing was. All that was accessed was an old dev server. Databases? Nope.
— Vinny Troia (@vinnytroia) July 12, 2020
But as one reader replied, it does appear that databases were accessed and acquired:
Explain this? pic.twitter.com/IOvg5t83YY
— Gustanto Syaputra (@gustantosyptra) July 12, 2020
Troia has yet to respond to his question. Or explain how he can say no databases were acquired when they are now up for sale.
Correction: A previous version of this post incorrectly claimed that most of verifications.io had not been available on RaidForums. It was.