Earbits.com Leaks 325,000 User Credentials
Music industry security has taken a beating recently, and today I'm adding another log to the fire: Earbits, an independent Internet radio outlet, was recently leaking the private account details of over 325,000 users.
Followers of data breach news will recall the early December hack of music sales site Tunecore as well as more recent coverage of a SQL injection attack against a band known as Faithless.
But unlike the Tunecore and Faithless incidents, this Earbits situation does not involve a hack at all. I discovered the 325k user database through a regular review of search results on the site Shodan.io. The Earbits database was not using any authentication measures. It was completely exposed and available to anyone in the entire world with an Internet connection.
We're talking about everything from real names, email addresses, and SHA1 password hashes (with accompanying salts), to the secret access keys of Earbits' Amazon S3 account.
I fired off alerts to the two Earbits email addresses I could locate, as well as a few messages to their parent company, You42. Attempting to call You42 proved fruitless, as the only options were a dial-by-name directory and an operator line that went straight to voicemail.
Below is the exact message I sent to Earbits and You42:
I have come across a database that appears to belong to you. It is currently configured for public access and does not require any form of password or authentication to view. The database contains, among other things, the account details for over 325,000 of your users. This includes email addresses, password hashes, and IPs.
To show that this is not a hoax, I have attached a screenshot overview of the database. If this is indeed your data, please contact me as soon as possible so that I can provide you with the IP address and port number of the exposed database.
Please be advised that any response, or lack of response, is likely to be included in my reporting of the incident.
A few hours later I received the following response:
We received your notifications regarding the potential security issue with our database. Can you provide us with the IP address and port of the exposed database along with the methods you used to uncover this issue so we can address this security flaw immediately.
Engineering @ Earbits
I responded with the IP address and port number corresponding to the exposed database. I also immediately checked to see if the data was still accessible. It was not. That leads me to believe that Earbits was able to locate the exposed data using only the description and screenshot included with my original notification email. Although, it must have been nice to receive confirmation from me that they had found and plugged the correct hole.
At this point, it is unknown how long the database remained exposed to the world and whether Earbits will be notifying its users of the breach. It would be a good idea for all Earbits users to change their password for the site and their password on any other site that may have used the same password.
All in all, this was a pretty good post-notification response time by Earbits, especially considering that I sent the notification emails on a US holiday (Martin Luther King Jr. Day). They also get points for implementing salted password hashes. While not completely effective against password hash cracking techniques, salting hashes does slow things down, as it renders rainbow tables ineffective.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org