Cyber Incident Victim: Ask.FM
Date:
Mar 2020
Location:
Ireland
Summary
A significant breach of the Ask.FM platform exposed approximately 350 million user records, including usernames, emails, crackable password hashes, and linked social media identifiers, with about 45 million records involving Single Sign-On credentials. The attacker claimed initial access via a vulnerability in a WordPress server within the platform's network, obtaining the database previously and subsequently exfiltrating additional internal data such as GitLab, Jira, and Confluence repositories. Despite the attacker's assertion that the victim organization detected the intrusion and revoked some compromised credentials, the company publicly denied any security incident occurred and did not notify users or regulators of the breach. The exposed data was offered for sale, with the seller alleging ongoing vulnerabilities due to inadequate remediation efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In March 2022, a seller using the alias “Data” listed Ask.FM’s user database for sale on the Breached.to hacking forum, claiming it contained approximately 350 million user records. The seller, vouched for by the forum’s owner Pompompurin, asserted the data was obtained through a breach of Ask.FM’s systems. According to the seller’s post, the database included fields such as user IDs, usernames, email addresses, password hashes, salts, and linked social media account identifiers (Facebook, Twitter, VK, and Instagram IDs). Approximately 45 million records involved Single Sign-On (SSO) logins. The seller claimed the password hashes were cryptographically weak and crackable. In addition to the user database, the listing offered access to 607 repositories and internal systems, including GitLab, Jira, and Confluence databases, accompanied by sample data as proof of validity.
The seller disclosed technical details of the breach to DataBreaches.net, revealing initial access was gained in 2019 via a vulnerability in Ask.FM’s Safety Center server, which hosted a WordPress instance on the ASKFM-NET network. The user database was exfiltrated on March 14, 2020. The seller alleged Ask.FM became aware of the breach by June 2020 but failed to remediate all vulnerabilities or notify affected users. Evidence cited included Ask.FM revoking specific compromised AWS credentials but allegedly ignoring broader security gaps, such as password reuse by administrators. Despite the seller’s claims and provided samples, Ask.FM consistently denied any breach occurred, stating in December 2021 and reaffirming in September 2022 that no security incidents had been identified. DataBreaches.net found no public disclosures or user notifications from Ask.FM related to the incident and escalated inquiries to Ireland’s Data Protection Commission (DPC) for GDPR compliance verification. The seller shifted toward pursuing an exclusive sale of the data, while the compromised records posed risks of credential stuffing and account takeover due to exposed hashes and linked third-party account identifiers.