Cyber Incident Victim: OGUsers
Date:
Nov 2020
Location:
United Kingdom
Summary
The OGUsers forum, a hub for trading compromised social media accounts, was breached again, with attackers defacing its homepage and claiming access to its user database. The administrator asserted passwords were securely protected, but perpetrators demanded payments to exclude profiles and private messages from an impending leak. Previous breaches exposed member data, aiding investigations into high-profile account takeovers and cryptocurrency scams linked to SIM-swapping crimes. The hackers, identified as "Chinese" and "Disco"—previously banned members promoting a rival forum—exploited an outdated site plugin; Disco characterized the intrusion as retaliation against the administrator but denied intent to release or sell the stolen data. This incident continued a pattern of security failures at a platform central to numerous account hijacking schemes.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In December 2020, OGUsers—a forum dedicated to trading compromised social media accounts—suffered its third major breach when attackers defaced its homepage and claimed to have compromised its user database. The incident occurred approximately one week before the article’s publication date of December 2, 2020. Unlike previous breaches in May 2019 and March 2020, where databases were publicly released, the perpetrators of this attack had not disclosed the stolen data at the time of reporting. The attackers, using the aliases "Chinese" and "Disco," attempted to extort forum members by offering to remove their profiles and private messages from an impending leak for payments between $50 and $100. The forum administrator acknowledged the breach but asserted that user passwords remained protected by robust obfuscation technology. The attackers were identified as previously banned OGUsers members who had launched a competing forum, with "Disco" later confirmed as a UK-based individual operating under multiple aliases including "Discoli" and "Disco Dog."
Historical breaches of OGUsers had enabled significant investigative breakthroughs, particularly in reconstructing the July 2020 Twitter bitcoin scam involving high-profile account takeovers. Leaked databases from the 2019 and 2020 incidents contained profile details and private messages instrumental in identifying participants. The December 2020 attackers exploited an outdated plugin to gain access, according to Discoli’s statement via Twitter, though he claimed the hack was motivated by personal disputes rather than financial gain and denied intentions to release the data. Discoli had previously marketed automated tools for cashing out stolen prepaid card accounts and founded a UK corporation named Disco Payments, which he described as a joke. The repeated targeting of OGUsers highlighted operational vulnerabilities within a community specializing in account hijacking, SIM swapping, and virtual currency theft. No containment measures beyond the administrator’s password security assurances were documented in the available source material.