Recently, a threat actor identified as USDoD posted a claim on an online forum, alleging the breach and leak of over 330 million email addresses, supposedly attributed to SOCRadar. This prompted an immediate investigation by SOCRadar’s security team.
The investigation revealed that SOCRadar’s internal systems were not breached. The threat actor had acquired a license from SOCRadar under a legitimate company name, which provided access to the platform similar to that of any other customer. With this account, the actor was able to search for well-known domain names, collect Telegram channel names, and crawl these channels to harvest email addresses.
It is important to note that no technical vulnerabilities in the SOCRadar platform were exploited. The actor merely utilized functionalities inherent in the platform’s standard offerings, designed to gather information from publicly available sources. This incident highlights a significant issue in information ethics and security: distinguishing between legitimate use and potential misuse.
Following an in-depth analysis of the situation, it has been determined that no access was granted to customer data or critical information. Our findings confirm no data breach involving our customers or SOCRadar’s internal systems.
While the collected data does not present an immediate risk, we maintain close contact with law enforcement and closely monitor the situation as it evolves.
The threat actor used our platform to identify Telegram channel names and subsequently crawled these channels to collect email addresses. We have verified that these email addresses were sourced from publicly accessible channels.
The threat actor purchased a Dark Web license using a legitimate company account, granting them access to SOCRadar’s platform like any other customer. While technically compliant with our Terms of Service, this method did not adhere to our intended use policies.
Our comprehensive investigation concluded that SOCRadar’s security systems were not breached or security vulnerabilities exploited. The threat actor utilized our platform by the Terms of Service but in a manner that did not align with our intended use policies.
Cybersecurity vendors, including KnowBe4, CrowdStrike, and SOCRadar, have recently faced increased attacks from threat actors. These companies are leaders in the fight against cyber threats and enhancing cybersecurity for organizations, making them prime targets for malicious actors seeking to exploit their resources.
In response to this incident, SOCRadar is conducting a comprehensive security review. This includes enhancing our monitoring systems to detect anomalies and reinforcing the security of our platform to prevent misuse of legitimate features that could lead to unauthorized actions.
Currently, no specific actions are required from our customers or partners.
SOCRadar remains committed to our clients’ security and privacy. We are taking proactive measures, including upgrading our monitoring and access controls, to prevent future misuse.
We also collaborate with law enforcement to ensure all necessary actions are taken. We value transparency and will keep our clients and the security community updated with any significant developments.
A detailed post-mortem analysis report has been prepared for SOCRadar customers and partners. Those wishing to access the report can request it by emailing [email protected].
Article Link: https://socradar.io/socradars-response-to-the-usdods-claim-of-scraping-320-million-emails/