A file containing breached or leaked data of over 28.000 people living in Ireland has recently surfaced on one of the clearnet data leaks forums. Now, as far as breach records go, this one is a very structured and clean Excel file containing email addresses, names, surnames, general locations and phone numbers. Usually data dump files are bulky and messy, which is not the case here. But, first things first.
This research was initiated after an anonymous tip off from a reader. A big thank you is owed to the person who flagged this to me – and a big thank you is hereby expressed.
The dump file was originally posted on Saturday, 2nd of December at 2:39PM.
I apologise for the redacted screenshot content, but I don’t want to further victimise the people whose details are in the leak by showing too much information that would lead to their identification.
NB: If you have a genuine, legitimate interest in this (government employee, press or cybersecurity researcher, etc.), you can contact me about it on the email address provided at the end of this post.
The dump file is hosted externally from the crime forum. At the time of this research, and according to the external website’s content download counter, it was downloaded only 12 times.
The file does not contain any credit card details or any other information that could be easily monetised by cyber criminals. The fact that it’s being shared for free suggests its perceived low value, but naturally the personal information within can be used to conduct random phishing, spam and automated voicemail scam attacks, as well as more targeted attempts against profiled targets.
The origin of the data dump file is unclear and while the metadata analysis offers some insights, they cannot be taken for granted as metadata – as we all know – is easily manipulated.
The creation and modification date above can indicate that this is not a new file and that it has been around for the last year or so. Then again, those values could have been manipulated.
The name in the creator field, “Acer”, might suggest that the origin of this data could be the massive 2021 data breach from Acer – or maybe not.
I took a sample of 10 email addresses from the file and checked them against the Acer dump records – there were no matches found.
The motivations of the threat actor who is posting a cleaned up, fraud-ready file for free that contains details of only Irish residents are unclear, but sure as hell they are not friendly.
After initially thinking he could be posting in order to gain notoriety and cybercrime “street cred”, I researched the user’s activities on the forum in question as well as other forums. He is by far the most active user on that particular forum, based on their own forum credits count:
Note that I use “he” deliberately – threat actors should remember that data breaches are a double edged sword and their own leaked credentials from the past can be used against them in the same way they use them against their victims (minus the scam / financial fraud aspects).
It’s worth noting that the forum where this and other similar content is being posted is registered anonymously and operated from a hosting IP address in the Netherlands by a company based in Macao. However, even a cursory examination of the site reveals that the forum is operated by russian speakers, based on the following facts:
- The language choice between US English and RU – no other option available.
- Crawl rules User-Agent is set to Yandex.
- Every “Like” is instead a “Лайк” ;))
- The community rules state that posting data related to russia is prohibited.
In the famous last words of the US President Bush on the topic: “the Cold War is over; Russia is a friend; Russia is not an enemy”…