On January 5, 2022, Cyble Research Lab discovered a Threat Actor (TA) who posted doxbin.com data on a cybercrime forum. Doxbin is a website used for leaking Personally Identifiable Information (PII), or “dox,” of any person of interest. The level of information gathered on a target varies from individual to individual. During our analysis of the data, we saw some DOX containing plain text passwords – a few had details such as name, email, location, occupation, etc.
Figure 1 shows the post by the TA on the cybercrime forum.
The TA claims that the data was initially posted on the Telegram channel of Doxbin. Upon further investigation, we found that TA named breachbase, also known as white, bought Doxbin for $75K. Still, after 2-3 months of acquisition, he sold it back to its previous owners kt & Brenton, and, along with that, leaked the doxbin data.
Figure 2 displays the Doxbin site.
The site recently started operating. As a result, a data leak notice was posted highlighting the incident exposing data of Doxbin users. Figure 2 showcases the recent data leak notice. The released statement pointed out that the leaked information refers to the Doxbin users accessing the site during the white/breachbase ownership. The leak includes information as follows:
- Account email addresses
- Bcrypt hashed passwords
- Blacklist information
- 2FA secret codes
- Plaintext passwords
After breachbase acquired the site, it’s suspected that the TA started logging data of Doxbin users like IP and plain text passwords. The leaked data contains information on individuals who doxed and those who got doxed.
Leaked data contains the following information:
- Contact Number
- Family member Details
- Geo Location
- IP address
- Aliases-Social media Handles
- Date of Birth
- Plain text passwords
- Stealer Logs
- National Identity Number
This leak has impacted the general population and the Threat Actors (TAs). In addition, we found a few doxed TAs whose PII was revealed on Doxbin. For example, figure 4 showcases the alleged PII of Omnipotent, the admin of a cybercrime forum RaidForums.
Figure 5 shows the alleged details of TA named pompompurin, one of the TA’s with a high reputation score on RaidForums.
Figures 6-9 contain sensitive records of a single Individual, and the data format is similar for other records.
Figure 10 shows a Social Security Number.
Figure 11 displays the details of the Doxbin users. The first record, ‘kt,’ belongs to the first owner of Doxbin.
Figure 12 shows the stealer logs. It appears that the victim was infected with a mercurial grabber.
The leaked data contains over 700K email addresses. Figure 12 displays the tentative count for the top 10 email domains exposed.
|Domain||Number of leaked Emails|
This leak has revealed a lot of sensitive information, and anyone can access it as data is freely available. Though there are details of individuals whose identities were doxed, the leak also contains details of individuals who doxed others. This leak can have impacts such as:
- Doxed information also includes work related details of an individual which might be exploited to carry to out phishing attacks.
- The leak includes login details and plain text passwords of some victims and Threat Actors can try to compromise those accounts.
- We might witness malicious activities such as identity theft emerging from this leak.
Following some essential cybersecurity best practices create the first line of control against attackers. We recommend our readers follow the best practices as given below:
- Impacted individuals must reset their passwords.
- Verify links received from untrusted sources before clicking them as TAs might attempt phishing.
- Check your email accounts and other exposed accounts for compromise.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Conduct regular backup practices and keep those backups offline or in a separate network.