KINIGUIDE | On Oct 19, technology portal Lowyat.net reported what may have been the largest trove of stolen personal data in Malaysian history when it found someone attempting to sell the data on its highly popular online forums.
This kicked off an investigation by the Malaysian Communications and Multimedia Commission and the police to find the source of the leak, and the breach was traced to an IP address in Oman.
Investigators also believe that the breaches took place sometime between 2012 and 2015.
At least part of the data that originated from the breaches is still being circulated online.
For this instalment of KiniGuide, we analyse the data to help make sense of the exact nature of the leaks and its implications.
Before we begin, some caveats:
The amount of data involved in the breaches is massive and its provenance unclear. Malaysiakini is unable to verify the data in entirety, nor rule out duplicates before counting the amount of data involved in the breaches.
For telecommunications companies (telco), some of the files are lists of phone serial numbers (IMEI) with no other data associated with it. Other files appear to have been drawn from the same database at different points of time.
Hence, the number of entries that purportedly originated from each telco is larger than the actual number of subscribers affected.
Furthermore, the data analysed, though massive, is not all that was leaked. Lowyat had reported that the leaked data included housing loan applications, which could not be located and is not part of this analysis.
No personal data was or will be published as a result of this analysis. Section 45 of the Personal Data Protection Act 2010 provides for an exemption for data processed for journalistic and public interest purposes.
What does the file look like?
The file comes in the form of a compressed folder (known as a .zip file) that is 3.4 gigabytes in size. Once fully unpacked, it unfurls into over 130 individual files organised into 15 folders, totalling 14.2 gigabytes.
Most of these files are spreadsheet files in either the Microsoft Excel format (.xls and .xlsx) or the comma separated values (.csv) format. There is also one database file in the .sql format.
Who got hit?
Number of entries: 16.3 million
Data leaked: Details of job candidates including name, IC/passport number, address, phone number, email, ethnicity, sex, date of birth, nationality, login information and hashed passwords.
What it means: In terms of privacy implications, this is arguably one of the more serious breaches due to the tendency of most people to reuse their passwords over multiple websites.
The passwords in the database are ‘hashed’, meaning that it had been coded in some way. Depending on how well this is implemented, however, it may be feasible to crack the code and reveal the password.
Jobstreet.com had instructed their users to reset their passwords in January 2017, so these accounts are now secure. However, a savvy hacker may still use the leaked passwords in an attack called ‘credential stuffing’.
This simply involves taking information found in the Jobstreet.com leak and using it to log into other services such as Facebook, email services, and others. If the user had been reusing his passwords and had not changed it since the leak, the trick would work.
You can check if you had been affected via the haveibeenpwned.com. If you have, you should change your passwords for all the services where you had been using the same password.
You should also consider adopting best practices for managing passwords, whether or not you have been affected, such as the one provided by the NGO Electronic Frontiers Foundation.
Number of entries: 1,769
Data leaked: Details of members including: Name, MyKad number, address, phone number, email, password, IP address.
What it means: FXUnited is ostensibly a foreign currency trading platform but had been placed on Bank Negara's consumer alert list since 2015.
The leaked passwords appear to be in plain text and can be read readily, but it also appears to have been randomly generated.
Those affected should change their passwords if this had not already been done, but unlike the Jobstreet.com database, there is little risk of exposing oneself to credential stuffing.
The other personal details still pose a privacy risk, however, as discussed below.
Number of entries: Altel (24,273), Celcom (18.0 million), DiGi (13.4 million), EnablingAsia (106, 069), FriendiMobile (6.7 million), Maxis (47.8 million), MerchantTradeAsia (1.8 million), PLDT (149,400), RedTone (246,612), TuneTalk (594,276), UMobile (37.8 million), XOX (79,138)...