Cyber Threat Actor: Data
| Actor Type | Location | Known Incidents |
Criminal
|
Latvia
|
1 incident |
|---|
Profile
The threat actor tracked under the alias Data has been linked to a breach of the Ask.FM platform. According to the actor’s own statements, they are based in Latvia. The actor first appeared on a cybercrime forum in March 2022 when they offered the stolen dataset for sale. No other aliases have been publicly attributed to this actor in the available sources.
The actor’s activity centered on the exfiltration and sale of user data from an online social networking service. They advertised a database containing approximately 350 million records, including usernames, email addresses, crackable password hashes and linked social media identifiers. The offering also included access to internal development repositories such as GitLab, Jira and Confluence. By placing the data on a marketplace, the actor demonstrated a financial objective rather than espionage or disruption.
Initial access to the Ask.FM environment was obtained through a vulnerability in a WordPress server hosted on the platform’s Safety Center network. The actor stated that the server was first compromised in 2019 and the user database was extracted on 2020‑03‑14. They further noted that administrators reused passwords across systems, which facilitated lateral movement. No specific malware families or custom tooling were described in the reported exchanges.
Attribution beyond the alias has not been established; no state sponsorship or criminal consortium affiliation is mentioned in the sources. The Ask.FM incident remains the only publicly documented operation associated with Data. The actor claimed that the victim organization detected the intrusion in mid‑2020 but chose not to disclose it publicly. The sale of the stolen data represents the actor’s most notable campaign to date.
