Breach, Compliance Management, Threat Management, Data Security, Network Security, Privacy, Threat Management

Hacker doxes Nulled cybercrime forum, exposes data on 536,000 user accounts

An unidentified hacker turned the tables on, a popular online forum that facilitates cybercriminal activity, by compromising its website and publicly dumping its sensitive user data and communications.

According to a blog post last week from Risk Based Security (RSB), the perpetrator struck on May 6, doxing the Nulled website in the form of a 1.3 GB archive that actually held 9.45 GB worth of compressed data. The archive was found to contain over 536,000 user accounts including names, email addresses, encrypted passwords, registration dates and IP addresses. A transactions table for VIP customers also featured user IDs that can be matched back to their corresponding user accounts. Private communications on the forum were also published on the doxing site, which RBS declined to identify.

Altogether, RSB researchers counted about 2.2 million posts, including over 800,000 personal messages, nearly 6,000 purchase records and about 12,600 invoices. There were also API credentials for three different payment methods, and over 900,000 authentication logs with geolocation data, member IDs and IP addresses.

The Nulled website typically offers visitors a forum to buy, sell or share stolen content and credentials as well as and illegitimately modified software, but has been pulled down for “temporary unscheduled maintenance,” according to a message on its home page. RSB speculated, but has not confirmed, that Nulled was likely breached via a vulnerability in its IP.Board community forum service from Invision Power Services, Inc.

Content shared on the site's premium VIP forum was also exposed; consequently, VIP access for this content is now worthless, “clearly impacting [the] business model,” the blog stated. Still, the doxing could potentially inflict some collateral damage, because the leaked content also includes samples of stolen data that users of Nulled's VIP section had previously posted as proof to potential buyers. This, in effect, doubly exposes a select number of Nulled's original victims.

Clearly, the potential ramifications for Nulled's users are significant. “I would say the biggest implication is the exposure of the information for analysis by law enforcement,” said Inga Goddjin, EVP and managing director of insurance service at Risk Based Security, in an interview with “They have an interest in what happens in these forums, who's participating, who's involved in what type of activity.”

Meanwhile, the site itself has also taken a hit. “Once a site like that has been compromised, it does have a lot of trust implications,” said Goddjin. “Obviously, users might be reluctant to go back there.”

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.