Cyber Incident Victim: Astoria Company LLC
Date:
Jan 2021
Location:
United States of America
Summary
A lead generation firm suffered a significant data breach when its databases were listed for sale on dark web markets by the Shiny Hunters group, initially claiming inflated figures but exposing sensitive information including names, email addresses, phone numbers, physical addresses, dates of birth, and IP addresses. More critically, subsets of records contained highly sensitive data such as Social Security numbers, bank account details, driver's license numbers, medical histories, and credit information. Attackers exploited a publicly accessible database management script (Adminer.php) with pre-saved credentials on multiple company domains, enabling unauthorized access without authentication. The intrusion was linked to malicious scripts and web shells deployed across the firm's infrastructure, with evidence suggesting compromised credentials from a former developer. Following notification by security researchers, the affected domains were taken offline.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On January 26, 2021, threat intelligence analysts at Nightlion Security identified multiple databases listed for sale on the Dark0de darkweb market by the hacking group Shiny Hunters. Among the offerings was a database attributed to Astoria Company LLC, a lead generation firm aggregating consumer data for services like car loans, medical insurance, and payday loans through partner referrals. The initial listing claimed the Astoria database contained 300 million records, including 40 million U.S. social security numbers, though subsequent analysis revealed these figures were inflated. Nightlion’s examination confirmed the exposed data included names, email addresses, dates of birth, mobile phone numbers, physical addresses, and IP addresses. A subset of 10 million records contained highly sensitive information such as social security numbers, bank account details, driver’s license numbers, credit history, medical data, and vehicle or home information. Additionally, unencrypted email transaction logs within the leak revealed Astoria’s practice of transmitting sensitive user data via insecure email channels. Within a week, Shiny Hunters publicly listed the databases for sale, and a user named “Seller13”—later linked by researchers to Shiny Hunters member “Yousef”—advertised the Astoria data on other darkweb forums.
Nightlion’s investigation traced the breach to Astoria’s MortgageLeads.loans domain, where attackers deployed the Corex.php web shell and the Adminer.php database management script. The Adminer interface, accessible via a public URL, contained pre-saved credentials for the “adminastoria” account, granting unrestricted database access without authentication. Nightlion attributed this vulnerability to Shiny Hunters’ known tactic of exploiting leaked credentials. Further analysis identified over 400 domains registered to Astoria, with 19 confirmed to host the same Adminer script. Nightlion CEO Vinny Troia notified Astoria of the exposure on January 29, 2021. Astoria’s internal investigation concluded a former developer based India likely intentionally saved the credentials. The company removed the malicious scripts and took the affected domains offline. The breach impacted approximately 30 million U.S. individuals, exposing personal and financial data that remained actively traded on darkweb markets following the containment efforts.