Millions of supposedly private links leaked online by safe link provider


  • The Cybernews team found a huge database belonging to Safelinking
  • It cointained 30 million links, as well as customer data
  • A malicious bot scraped, and destroyed it

A company that provides safe links services kept a major database with sensitive information unlocked and available to anyone who knew where to look.

As a result, sensitive information on millions of people got leaked on the dark web, and the database ended up destroyed.

This is according to cybersecurity researchers Cybernews. In early August, the team discovered a “poorly configured” and passwordless MongoDB database belonging to a company called Safelinking.net, a firm that provides password-protected links services.

Ransom demanded

When someone wants to send sensitive data across the internet, they can lock the link behind a PIN, or password, using companies like Safelinking. Thus, it is safe to assume that the data behind the link is highly sensitive in nature.

Still, Safelinking made the all-too-common error and failed to properly secure the database, Cybernews argues. It contained 30 million private links, as well as account data on more than 150,000 users. This data includes people’s usernames, emails, encrypted passwords with salt and API hashes, notification settings, security settings associated with the links, social media account IDs, and protected links.

Oftentimes, the researchers are first ones to find these databases, averting a bigger catastrophe. Not this time, though. Cybernews discovered that a malicious bot beat them to the punch, pulling all the data to an attacker-controlled server, and leaving a message that the archives would be destroyed if roughly $600 in bitcoin isn’t paid.

Since Safelinking didn’t pay the ransom demand, the bot destroyed the database, and it’s no longer publicly available.

“It’s a good reminder of why it’s so important to have solid security measures in place for platforms handling this type of data,” said the Cybernews research team. “Even if the platforms sometimes fail to secure users’ privacy, it’s good to know basic security hygiene, like using multi-factor authentication.”

Via Cybernews

Related posts

Google says its next data centers will be built alongside wind and solar farms

No, you can’t run Windows on its tiny screen; minuscule mini PC has built-in display, fingerprint reader, OCuLink, double 2.5Gb LAN port and can drive four 8K monitors without an extra GPU

NYT Connections today — my hints and answers for Thursday, December 12 (game #550)

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More