Cyber Incident Victim: subitodisponibile.com

On or around June 13, 2023, a cybersecurity incident involving the Italian website subitodisponibile.com was publicly disclosed. The disclosure occurred on the underground cybercriminal forum known as Exposed. A threat actor posted a message to the forum announcing the sale of a data set allegedly stolen from the company. The post contained a sample of the stolen data, which was offered as proof of the breach's legitimacy, and provided instructions for other forum members to contact the seller to initiate a purchase transaction. The advertised data set was substantial, reported to contain approximately 300,000 records. The total volume of data exfiltrated was estimated to be five gigabytes. The data was structured across 25 distinct columns, indicating a comprehensive extraction of information from a database.

The attacker claimed the data was extracted via an SQL injection attack against the company's IT infrastructure. This technique exploits vulnerabilities in a web application's database layer, allowing an attacker to view, manipulate, and exfiltrate data that would otherwise be inaccessible. The successful execution of this attack led to the extraction of a significant quantity of user data. The compromised information was described as customer contact data. The specific data points within the 25 columns included user names and surnames, email addresses, home addresses, postal codes (CAP), and province information. The data was reported to be from the year 2023, suggesting the records were relatively current at the time of the breach.

Following the initial post on the Exposed forum, the incident was reported by the cybersecurity news blog Red Hot Cyber (RHC). Their article, published on June 13, 2023, served as the primary public source of information regarding the breach. The article detailed the nature of the forum post and the contents of the data sample. At the time of RHC's publication, there was no official public statement or notification from subitodisponibile.com itself regarding the alleged cyber attack. The website did not display any information pertaining to a security incident or a potential compromise of user data. RHC extended an offer to the company to provide a statement or updates on the situation, noting they would be willing to publish a follow-up article highlighting the company's response.

The incident involved the illicit sale of personal data on an underground forum, a common platform for such criminal activity. These forums are described as hidden, private online communities where cybercriminals gather to share knowledge, exchange sensitive information, and collaborate on illegal activities related to cybercrime. Access is often restricted to selected members or by invitation, and a high level of technical knowledge is typically required for participation. Discussions on these platforms cover a wide range of criminal endeavors, including hacking, fraud, data theft, the sale of sensitive information, and the development and distribution of malware. The Exposed forum itself is characterized as a well-known venue for such transactions, operating in a space previously occupied by other forums like Breach Forums and Raid Forums, which had been shut down by international law enforcement operations.

The immediate impact of the incident was the exposure of a large volume of personal identifiable information (PII) belonging to the users of subitodisponibile.com. The compromise of data such as names, physical addresses, and email addresses creates significant privacy risks for the affected individuals. This type of data can be leveraged for a multitude of malicious purposes, including targeted phishing campaigns, identity theft, financial fraud, and spam. The fact that the data was offered for sale on a criminal forum indicates the information has monetary value to other threat actors, who would purchase it to use in their own attacks. The reputational impact on subitodisponibile.com is another consequence, as the breach and the subsequent sale of user data can erode customer trust and damage the brand's credibility.

The public response and detection of the incident were initiated by external monitoring rather than internal security measures. The breach was first detected and disclosed by a cybercriminal within the Exposed forum community. Its discovery by the wider security community, specifically by Red Hot Cyber, came through the monitoring of these underground channels. RHC identified the post and analyzed its contents to provide a public account of the event. This suggests the initial detection was not performed by the victim organization's internal security team but by third-party actors tracking criminal activity online. The article noted that RHC would continue to monitor the evolution of the situation for any substantial developments and provided an encrypted email channel for whistleblowers or informed sources to anonymously submit further information.

There is no information available regarding any internal response or containment actions taken by subitodisponibile.com in the immediate aftermath of the public disclosure. The source material does not detail any steps the company may have taken to investigate the alleged SQL injection vulnerability, secure its systems from further exploitation, or assess the full scope of the intrusion. The absence of a public statement or notification on the company's website at the time of the RHC article's publication indicates a lack of public-facing incident response communication in the early stages. The long-term consequences for the affected users remain a concern, as their personal data was now in the hands of criminals and available for purchase on the dark web, potentially leading to future targeted attacks against them. The full technical details of the SQL injection vulnerability, the exact timeline of the attack prior to its publication on June 13, and the final disposition of the stolen data set were not revealed in the available information.