A website that lets users purchase and trade firearms was hacked, and as a result, the names of the website’s members were made public. The security breach revealed vast amounts of sensitive personal data belonging to more than 550,000 people, some of which included the entire names and addresses of customers, as well as their email addresses, unencrypted passwords, and telephone numbers. Moreover, the data that was obtained reportedly makes it feasible to connect a certain individual with the sale or purchase of a particular firearm.
“After you have all of this information, you may proceed to make a public listing and then resolve it back to the [data in the stolen database] so that you have the name, email address, physical address, and phone number of [the seller] and, presumably, the location of the gun,” Troy Hunt, a cybersecurity expert who runs the popular data breach repository and alerting service Have I BeenPwned, said.
Towards the tail end of the previous year, a security researcher who wished to remain anonymous found a server that had the data. It came out that the site was being used by a hacker (or group of hackers) who were utilizing the server to store the stolen data. As the server was not secured by any mechanism that could restrict or regulate who may access it, the researcher was forced to download the data and examine it on their own.
The information that he discovered was obtained from the website GunAuction.com, which has been giving users the ability to list firearms for sale online since the year 1998.
TechCrunch performed an analysis on a portion of the data that had been compromised and contacted 120 individuals by phone and 100 through email. Of of them, ten individuals verified that the information included in the database that had been taken was true. The most up-to-date status of the data is not known due to the fact that their message was unable to be sent to or bounced back from 25 different email addresses, and numerous phone lines were also disconnected.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.