Another Day, Another Hack: Millions of User Accounts for Streaming App '17'
The data, advertised on the dark web, includes phone numbers, IP addresses, and details about the user's phone model.
Image: Che Saitta-Zelterman
Quite literally, every day someone gets hacked. Whether that's a telecommunications company having its customer data stolen, or another chain of businesses being ripped for all the credit cards it processes, today one hack just seems to melt into another.
In our series Another Day, Another Hack, we do short posts giving you what you need to know about the hack, so you can figure out whether your bank account, website logins or anything else might be at risk. Because, even if the hack might not be the most sophisticated, real people are still getting fucked over somewhere, and should know about it.
A hacker is advertising a cache of email addresses, poorly secured passwords, phone numbers, and other information from users of photo sharing and video streaming app '17', which is particularly popular in Asia.
The data is being sold on The Real Deal, a dark web market that specialises in stolen information and computer exploits.
The data was allegedly obtained via an app server, and not the company's website, the hacker advertising the data told Motherboard in an encrypted chat.
"Vuln[erability] and some shit security," the hacker, who used the handle "peace," said.
Peace shared a small sample along with his listing. Out of 54 usernames that Motherboard tested with the 17 app, 52 already corresponded to accounts. (The other two usernames contained characters, such as underscores, that Motherboard was unable to enter into the Android version of the app).
Motherboard then obtained a larger sample, allegedly containing information on 20,000 users. Many of these usernames also matched active accounts on 17.
The passwords were hashed using the notoriously weak MD5 algorithm. Because of this, Motherboard was quickly able to obtain users' full passwords by using simple online tools.
The data also includes email addresses, phone numbers, IP addresses, and information about a user's phone, such as the model and operating system.
Motherboard attempted to contact 26 users via their email address. One person confirmed they were a user of 17, but said he had un-installed the app. In the samples Motherboard reviewed, not every entry contained all pieces of information. For example, some didn't include phone numbers, and others didn't include email addresses. This might be due to the fact the users can sign up to 17 using their Facebook account, rather than their phone number.
"We take every threat to personal user data and security with the utmost priority," Popo Chen, the co-founder of the app, wrote in an email after being informed of the apparent breach by Motherboard. Chen did not confirm the legitimacy of the data.
In September 2015, 17 Media, the company that makes 17, raised $10 million in Series A funding. At the time, 17 had been downloaded over six million times, according to Silicon Angle. In a similar vein to YouTube, the app has a sharing system, in which users who create content split ad revenue with 17 Media. According to the Google Play Store, the app has between 500,000 and 1 million installs.
In all, the hacker claims to have obtained information on 30 million users. Motherboard could not confirm whether Peace is selling that many accounts.
It's unclear why the discrepancy between the apparent number of 17 downloads and the 30 million user account figure is so wide. Chen did not respond when asked to clarify how many users 17 has.
Motherboard shared the smaller sample with Chen, who said the "data looks unusual, we don't have any APIs that query this small of a set." On Thursday, Chen said that the company was "in the process" of buying the data from Peace.
At the time of writing, Peace has sold the data twice, according to the feedback function on The Real Deal, and the hacker said that another sale was pending. One sale is rated as positive, and commented with "quick delivery." The other sale is marked as negative. It's unclear why the buyer was seemingly unsatisfied with their purchase. The data is being sold for 0.3305 bitcoin (just under $150).
The lesson: All 17 users should immediately change their password as a precauation, in order to avoid third party access to their account. They should also change credentials on any other sites or services that used the same password.