At the end of January, a hacking group known only as ‘Focus' on Twitter claimed to have dumped 50,000 records on Archos.com customers on Slexy, the self-proclaimed ‘hottest pastebin' on the internet. The dump was spotted by both security researcher Troy Hunt and Arthur Clune, head of payments and information security officer at the University of York. A further data dump – allegedly of another 50,000 customers – made it onto Mega.co.nz, the free cloud storage website launched back in 2013 by Kim Dotcom.
These leaks contain personal and corporate email addresses hosted on French and international domains, and include customer first names and surnames.
Speaking to SCMagazineUK.com shortly after news first emerged, ‘Focus' said that the data was legitimate –pointing to the database structure (also posted online) as “pretty good proof”. Meanwhile, Hunt verified that a “random selection of the emails in the dump” existed in the system at Archos.com. SC's own checks revealed the legitimacy of the email addresses, as you could force password resets on Yahoo and Gmail accounts.
“There are also multiple fundamental security flaws – no HTTPS on the log-in, password stored insecurely, password sent via email etc,” Hunt told SC. “Very sloppy and that's just from observations using the system as it was designed to function.”
Focus later confirmed that an SQL injection attack – a code injection technique used by attackers to exploit vulnerabilities in software applications, often to download database entries – had forced the error and urged Archos, which mainly produces affordable Android smartphones and tablets, to check on its own end if the firm was unsure on the validity.
“Their servers have poor security,” said Focus. “The input of their site wasn't filtered, so we could manipulate the SQL commands.”
Archos CEO Loic Poirier said in a statement to SC on Friday: “We are aware that during the Christmas period a team of hackers found a minor hole in security on our servers and managed to gain access. The data obtained was limited to first name, last name and email address. The Archos e-commerce site redirects to a secure psp (platform security processor) for payment ensuring no credit card data can be obtained. There is no indication that encrypted passwords were taken in this instance.
“Following this minor incident the team quickly located and closed the security hole.” At the time of writing, Archos hadn't confirmed the nature of the attack or how many records had been compromised by the attackers.