Cyber Incident Victim: START
Date:
Sep 2021
Location:
Russia
Summary
A Russian streaming platform suffered a data breach where attackers exfiltrated a database containing approximately 7.5 million users' email addresses, phone numbers, usernames, MD5-hashed passwords, IP addresses, login logs, and subscription details. The platform confirmed the intrusion but downplayed the risk, asserting the data couldn't facilitate account takeovers—contradicted by external verification that leaked credentials enabled valid logins via password recovery tools. While financial information and browsing history remained unaffected, the incident exposed sensitive user records, prompting the organization to remediate the vulnerability and advise password resets despite not mandating a global credential reset.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around September 22, 2021, unauthorized actors breached the systems of Russian streaming platform START (start.ru), exfiltrating a database containing user information. The breach remained undisclosed until August 28, 2022, when a 72GB MongoDB JSON dump purportedly containing records of nearly 44 million users began circulating on a social network. Analysis revealed 7,455,926 unique email addresses within the dataset, indicating approximately 7.5 million legitimate users were affected. The stolen records included email addresses, phone numbers, usernames, MD5crypt-hashed passwords, IP addresses, login logs, and subscription details, with the most recent entries dated September 22, 2021. START confirmed the breach two days after the leak emerged, acknowledging that intruders had stolen a 2021 database but asserting that financial data, bank card information, browsing history, and unhashed passwords were not compromised. The company stated the stolen data lacked immediate utility for account takeover attempts. User accounts created after September 22, 2021, were unaffected by this incident.
START administrators announced via Telegram on August 30, 2022, that they had addressed the vulnerability and secured data access. While not mandating a global password reset, the platform advised users to change their passwords as a precaution. Independent verification by Russian news outlet Medusa confirmed the validity of leaked credentials by testing random entries through START’s password recovery tool, contradicting the platform’s characterization of the data’s limited utility. The discrepancy between START’s official statement and the actual contents of the leaked dump extended to the omission of password hashes, IP addresses, and login logs in the company’s disclosure. The incident exposed operational security gaps, as the database contained extensive authentication and session records alongside personally identifiable information. Data distribution channels amplified the breach’s visibility, though START maintained that the compromised information posed minimal direct financial risk to users.