Cyber Incident Victim: DataViper
Date:
Jul 2020
Location:
United States of America
Summary
A hacker breached a security firm's data leak monitoring service, DataViper, stealing over 8,200 databases containing information from billions of users compiled from historical breaches. The attacker publicly posted evidence including exfiltrated data samples and access proofs on a dark web portal, though most datasets appeared outdated with limited new additions. The service's operator acknowledged unauthorized access to a test environment but disputed claims of sensitive data theft, suggesting the hacker aimed to tarnish his reputation ahead of a scheduled conference presentation. He speculated the perpetrator might be affiliated with known cybercriminal groups and could be attempting to sell independently acquired databases under the guise of stolen material, emphasizing that critical systems remained uncompromised during the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around July 12, 2020, a hacker breached systems associated with DataViper, a data leak monitoring service operated by Vinny Troia of Night Lion Security. The attacker publicly claimed to have exfiltrated over 8,200 databases containing information aggregated from billions of users exposed in historical third-party breaches. DataViper's service routinely scanned dark web sources to compile these databases for customer leak monitoring purposes. The hacker posted evidence of the breach on a dark web portal, including samples of exfiltrated databases, JSON files, and operational proof demonstrating unauthorized access to DataViper systems. While most identified databases corresponded to older breaches, the hacker also referenced some previously undocumented datasets. The compromised information reportedly originated from multiple organizations that had experienced prior data exposure incidents, now recompiled through DataViper's monitoring platform.
Vinny Troia acknowledged unauthorized access to a non-production test server but disputed the theft of sensitive or proprietary data from core systems. He characterized the targeted environment as a development infrastructure with limited operational significance. Troia attributed the attack to an individual or group with suspected affiliations to threat actors like TheDarkOverlord and ShinyHunters, suggesting personal retaliation motivated the breach. He cited timing coinciding with an upcoming security conference presentation as potential evidence of reputational targeting. Troia further speculated the hacker might be attempting to market independently obtained databases under the pretense of having stolen DataViper assets. The article noted ongoing efforts to validate technical claims from both parties, with commitments to provide updates as verification progressed. No specific containment actions or customer impact disclosures were detailed beyond Troia's assertions regarding the isolation of development systems from critical infrastructure.