One of the newer leak markets is Marketo. Marketo claims, “We put up for sale network accesses and passwords of networks of companies that do not contact us.” They also maintain a Telegram channel where they elaborate on their service:
We are an independent marketplace for free placement and sale of data stolen by hackers. We are not affiliated with popular ransom groups today and condemn their work as it can harm people in the process of blocking networks and PCs. We are only concerned with information, and if it is of value, as Nathan Rothschild told us, then it can be sold and that is our business model. You can take a look around our site and contact us. Select the item you are interested in.
In mid-May, when DataBreaches.net first became aware of the Marketo site, it contained a statement about entities that were then currently under attack, and a brag that their success rate was better than 85%. One of the sites allegedly then under attack was cuny.edu, the City University of New York. DataBreaches.net reached out to CUNY to ask them if they were aware of the claimed ongoing attack and to give them a heads up if they hadn’t been. The email was sent to security@. They did not respond at all.
On May 31, Marketo listed CUNY.edu as completed, claiming that they had exfiltrated 11 GB of data. Their proof of claim package consisted of relatively innocuous files.
DataBreaches.net reached out to CUNY again to ask what it had done after this site had tried to alert them to a problem, and to ask what data the threat actors had acquired. Again, there was no response.
So DataBreaches.net asked Marketo what they could or would tell me about that incident, including when the attack began and when it was completed. I also asked whether personal nformation of students had been acquired. A Marketo spokesperson replied:
So, first, I can’t tell you about the date of the attack. Second, we don’t have the students data, so I’ll guess this won’t be much of an interest for you, but what we do have is contact payments, budget reports, projects, contracts and etc.
Marketo promised to provide additional details in a few days, but from the sound of things, this breach likely does not involve a lot of personally identifiable information — or even any. But what did CUNY do when this site attempted to warn them that they were supposedly under attack? How did they follow up, or didn’t they?
Today, DataBreaches.net sent a press inquiry to CUNY, asking what CUNY had done in response to the May 16th alert and to the attack itself.
So far, there has been no response.
This post will be updated if a response s received.