Cyber Incident Victim: NZBGeek
Date:
Nov 2020
Location:
New Zealand
Summary
A Usenet indexing service suffered a security breach involving an SQL exploit that deployed a JavaScript-based keylogger on its website, leading to the theft of user credentials, email addresses, and credit card information. The attackers intercepted payment details during checkout via a method resembling Magecart-style skimming attacks, capturing data entered by users after the compromise. While the service stated it did not store payment details directly, the keylogger collected information submitted through its interface. Affected individuals were advised to monitor financial accounts and update reused credentials due to potential exposure of sensitive data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
NZBGeek, a Usenet indexing service established in 2012 and known for facilitating access to pirated content, suffered a cybersecurity breach involving the theft of user data, including credit card information. The incident was publicly disclosed by the site’s operators on December 27, 2020, though forensic analysis indicated the attack originated earlier, on November 20, when attackers compromised the site’s infrastructure. Hackers exploited an SQL vulnerability to deploy a JavaScript-based keylogger designed to intercept user-submitted information during website interactions. This keylogger operated by capturing data entered by users, particularly during checkout processes, before it was transmitted to the site’s legitimate backend systems. While NZBGeek itself did not store credit card details, the keylogger enabled the theft of such information in real-time as users entered it, alongside usernames, email addresses, and encrypted passwords. The attack methodology aligned with characteristics of Magecart-style digital skimming campaigns, which typically inject malicious code into payment pages to harvest financial data during transactions. All users who accessed NZBGeek between November 20 and December 27 were potentially affected, exposing them to risks of financial fraud and credential misuse.
The site’s operators, including an individual using the pseudonym “Jeeves,” confirmed the breach in communications with TorrentFreak, emphasizing that encrypted passwords were compromised but acknowledging the heightened risk for users who reused credentials across multiple platforms. They advised impacted individuals to notify their credit card issuers to prevent unauthorized transactions and to change passwords on any accounts sharing credentials with NZBGeek, additionally recommending the adoption of two-factor authentication where available. The incident underscored the persistent threat of Magecart attacks, which had previously targeted major entities like British Airways, Ticketmaster, and Newegg, exploiting web application vulnerabilities to intercept sensitive data. NZBGeek’s breach highlighted operational security gaps in niche online services catering to piracy-related activities, despite their paid subscription models. No specific attribution for the attack was provided, nor were details disclosed regarding the detection timeline or containment measures beyond the removal of the keylogger. The compromise demonstrated the continued viability of Usenet as a piracy vector while exposing its user base to tangible financial and reputational harm stemming from insufficient cybersecurity safeguards.