Klaus on Tilde Town

Please notice you've been pwned, Senpai.

What a great way to start your Saturday morning.

You receive an email written in Japanese alongside a recent surge in Japanese-written spam in your inbox, but this one seems to be legit. At a first glance, your infant Japanese language skills catches a few words, like "illegal," or "unauthorized," and you start thinking that this might be serious. You paste the contents into Google Translate and realize that part of your data is about to go front pange on some Infosec journal:


Subject: Apology and notice regarding damage caused by unauthorized access to the website

This e-mail is sent to customers whose e-mail address may have been leaked due to the following unauthorized access damage.

[REDACTED] Co. may have leaked some email addresses of members or temporary member registrants owned by the Company due to unauthorized access to the Company's website. I confirmed that there is.

The information that may have been leaked this time does not include name, address, date of birth, or credit card information. Regarding this matter, we would like to report on the current situation and future measures as follows.

  1. Status of unauthorized access: unauthorized access from the outside using SQL injection was confirmed, and as a result of the investigation, it was found that some e-mail addresses of [REDACTED] members or temporary member registrants may have been leaked outside the company. (SQL injection: An unauthorized access method that uses a SQL statement as a URL parameter to extract information from an unintended database)

  2. Information confirmed to be leaked

    • Number of cases that may have leaked: 46,421
    • Information that may have been leaked: Email address (Name, address, date of birth, and credit card information are not included).
  3. Response and countermeasures: After taking protective measures against attacks on this page, we have implemented the following.

    • [REDACTED] reexamines the safety of [REDACTED] website
    • [REDACTED] strengthens [REDACTED] website development management system
    • Consultation with the Police Department regarding this matter
  4. To our customers: We will never ask customers who may leak information for their personal information (financial institution account, credit card PIN, My Number, etc.) by telephone, mail, email, etc. To prevent damage, please be careful about suspicious e-mails, such as refraining from opening e-mails and attached files.

We sincerely apologize for causing a great deal of inconvenience and concern to our customers and related parties. In the future, we will strengthen the security of the server system and homepage and make thorough efforts to prevent recurrence.


Gomen-nasai

You've Been Pwned, desu!

What can I say... quite a lot of formalities in there for a single email, very Japanese style indeed. I love how accurately they point out that exactly 46,421 accounts were compromised - that in itself tells us how the Japanese like to be correct. Also, interesting how they disclose the cause in full foreground as SQL Injection, complete with a short layman's terms explanation. Honest transparency or weakness on their part? I'll leave the answer to you.

This experience marks the confirmed first time I confirmed that I had been pwned in my digital life. This is not to say that previous services I've used, like old email addresses or forums, were never affected, but rather that this is the first one I'm actually aware. The struggle is real, my friends, and OpSec is a real must to anybody.

Naturally, the question shifts to the future: what am I going to do next? Or perhaps, what can I do next in this case that an irresponsible company has mishandled my data?

Am I pwned at this point?

As much it sucks to know that such incident involving my data has happened, turns out I'm actually not that much worried in the end. I have not used the service in question in financial ways, and I used a strong and unique password in my account that would not affect me in re-use. With this respect, I can - as I did - simply change my password there again using my password manager and bam - identity problem solved.

A more serious problem is spam. Having read this announcement, it no longer surprises me that my email inbox (a throwaway account that I also use for pseudonyms logins) started receiving mildly targeted spam messages this week, written in Japanese and concerning sites only used by the Japanese. So far it looks like one email address with a random character string like df9weuowrh has still covered the tracks relatively well.

Besides the annoyance, there's also the possibility that my (till then) anonymous address is being marketed in the darkweb and sold around like cracker candy. Who knows, maybe my spam count will go higher in the coming weeks. But if it becomes increasingly annoying, all I'll have to do is create a new address. Let the spam dine in at an abandoned dummy account. It's getting harder to create one fully anonymously and without a phone number, but if all I need is protection against spam or mild stalking, I guess that's a reasonable trade-off.

Lessons learned

First and foremost: compartmentalize your digital life. Not only this makes it much more resilient in terms of data loss (replication of backups over multiple accounts is key), but it also guarantees that a compromised account held in one badly maintained service does not spread out to your remaining online identity (if any).

Second, and this hooks straight into the previous one: use a password manager. Sorry, there's simply no excuse for not using one in today's multiple-website and lots of data leakage world. Memorize one long password using something like diceware and use it to unlock a database containing random, distinct passwords for each service you use. If you don't have physical dice with you, you can simulate it with a script like this:

#!/bin/bash
# @diceware.sh: generate diceware-like passphrases
# USAGE: diceware.sh [LENGTH]
# Note: words file location might be different in your system.
# This example works with Debian-based systems.

WORDS=/usr/share/dictionaries-common/words
LEN=5 # how many words?

if [[ -n "$1" ]]
then
    LEN="$1"
fi

shuf "$WORDS" |
    head -$LEN |
    tr "\n" " "
echo

Third, slim down your online presence by deleting any account online you're not using for good. You can only do so much to self-guard your account in a dubious service, the best remedy is to remove at once the data you have online that you don't need to use. What's the best way to know which accounts you're not using? Having a password manager once again conveniently lists out any account you've previously created.

And just like that, I'm not going to lose sleep over this incident, even if it sounded a little scary in the email. Knowing how to do some basic OpSec has cleared me from having to worry about the possible bad outcomes of a data breach like this.

You've been pwned, Senpai, better catch up desuyo.


Have you been pwned in a similar way to this one before? What other follow-up actions did you do in that case? What OpSec practices ended up passively protecting you from other consequences? Let me know on Mastodon!


This post is number #18 of my #100DaysToOffload project. Follow my progress through Mastodon!


Last updated on 06/08/21